Subject: comp.dcom.sys.cisco FAQ Version 2.20 (Last Modified 5/29/02)Followup-To: comp.dcom.sys.ciscoKeywords: comp.dcom.sys.cisco FAQ Reply-To: Hansang Bae <hbae@nyc.rr.com>Sender: Hansang Bae <hbae@nyc.rr.com>Summary: This is the FAQ for the comp.dcom.sys.cisco newsgroup

Archive-name: comp.dcom.sys.cisco/faqPosting-Frequency: monthly Last-modified: February 09, 2002Version: 2.20

NEW IN VERSION 2.200.1 Where can I obtain the FAQ:118. Where can I find a list of undocumented IOS commands?119. Where can I find information on securing or hardening Cisco routers?120. How can I connect two Cisco routers back to back through the AUX ports?121. How do I use Secure Shell (SSH) on Cisco devices?122. Can I use a /31 address space for my serial point-to-point interfaces?123. How do i see log messages on the router console?124. What is my overhead of using IPSec125. What is the pinout for the DB9 to RJ45 connector?126. Should I use a T1, Cable modem or DSL for Internet connections?127. How do I change the time length of 15 mins that is used when displaying the Show ISDN history command?128. Why do I see "double" characters when I telnet into my router?129. How do I see power-supply failures via SNMP?130. How do I change the timer for tx/rxload when doing "show int" command?131. How do I setup SLIP on my Cisco terminal servers?132. How do I setup FR End-to-End keepalives?133. What basic information do I need to setup a T1 from my ISP?134. How do I setup NAT and Port forwarding?135. Where can I buy some Back-to-Back serial cables?136. How can I policy-route router generated packets?137. Is there another way to upload my IOS w/o a tftp server?138. What does the keyword EXTENDABLE mean when doing NAT?139. Where can I get some third party icons for my Visio program?140. Can you help me interpret the output fomr "Looking Glass" (BGP?)141. When using Tunnel with an interface that has an ACL, what happens?142. Do I need a Xover cable when using 1000Base-T?143. How dow I break the "Rule of Ten" for BGP Load balancing?144. How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?145. Should I turn off console loggin??

This FAQ is edited by Hansang Bae, <hbae@thrupoint.net>.

Administrivia:The new section starts from Question 39 and up (inclusive). The old sectionwas from the original FAQ which I did not maintain.

Please contribute answers to the questions in the Todo section! Ifyour answer is somewhat complicated, posting would probably be best(to comp.dcom.sys.cisco). Otherwise, e-mail it to cisco-faq@nyc.rr.com.Please note that a LOT of these questions have been hanging around forsome time, and if knowledgable people could take the time to answer afew of them, that'd help.

Since this FAQ was first developed, cisco has written up a lot ofuseful information on their web site, http://www.cisco.com. If you

can't find what you're looking for here, please check there, too.

Table of Contents

0. Hall of Fame for Revision 2.0 and above: See end of the FAQ:0.1 Where can I obtain the FAQ:1. How can I contact cisco?2. What is this newsgroup?3. What does ``cisco'' stand for?4. How do I save the configuration of a cisco?5. Where can I get ancillary software for my cisco?6. Is there a World-Wide-Web (www) information source?7. How can I get my cisco to talk to a third party router over 8. How can I get my cisco to talk to a 3rd-party router over Frame Relay?9. How can I use debugging?10. How can I use NTP (Network Time Protocol) with my cisco?11. Sample cisco NTP Configurations12. How do I avoid the annoying DNS lookup if I have misspelled a command?13. Tracing bad routing information14. How to use access lists15. The cisco boot process16. Where can I get cisco hardware?17. Where can I get IETF documents (RFCs, STDs, etc.)?18. Future features in cisco software19. How do cisco routers rate performance-wise?20. How are packets switched?21. How does one interpret buffer statistics?22. How should I restrict access to my router?23. What can I do about source routing?24. Is there a block of private IP addresses I can use?25. Is DHCP supported?26. Where can I get cisco documentation?27. What's the latest software for the CSC/3?28. What IP routing protocol should I use?29. How do I interpret the output of ``show version''?30. What is the maximum number of Frame Relay PVCs?31. How much memory is necessary to telnet to a cisco router?32. Where can I purchase flash RAM?33. When are static routes redistributed?34. When is the next hop of a route considered ``reachable''?35. How do name and phone number of ``dialer map'' interfere?36. What's the purpose of the network command?37. What is VLSM? 38. What are some methods for conserving IP addresses for serial lines?

******************************************************************************New questions/answers for revision 2.00 starts from here!******************************************************************************

39. Flash upgrade issues for Cisco 2500 series routers40. How do I prevent my switch ports from going into ErrDisable state?41. How do I configure a router to act as a Frame-Relay Switch?42. What are the different types of memory used by Cisco Routers?43. How do I load the Documentation CD (UniverseCD) on Windows 2000?44. How dow I load a large image on a 2500 *lab* router?45. Daisy-chaining reverse telnet Aux-to-Console ports46. What Windows chatter could bring up and ISDN line?47. How do I make NTP packets so it's only interesting on router bootup?48. How do I setup Lock & Key ACL?

49. How do I telnet to a specific VTY line/50. Is there a better (free) tftp server than the one by Cisco?51. How do I use the Cisco Documentation CD (UniverseCD) under Linux?52. How do I NAT on a single Cisco 2503 Ethernet interface53. How do I hide a summarized OSPF router from one ABR to another?54. What is the pinout for the Console port on a 2518?55. How do I find the "real" IOS name when the file is in DOS format?56. How do I setup Windows 2000 and IPSec to PIX FIrewall57. How do I use tftpdnld via Ethernet port on a 2600?58. How do I setup MultiLinkPPP?59. How much memory is taken up by BGP routes?60. What is the difference between a CiscoPro model and a regular one?61. How do I stop my router from looking for cisconet.cfg or network-config?62. How do I setup DHCP service on my router?63. How do I configure a trasparent proxy redirecting on CISCO router?64. How do I use the PCMCIA slot in my 2500 router?65. What cable do I use on 1900 switch with a DB9 Console connector?66. How do I use a route-map to limit redistribution in OSPF?67. How do I connect 675 DSL units back to back?68. How do I format the PCMCIA card on a 3600?69. How do I read Token Ring Mac and RIF?70. How are Ethernet MAC addresses transmitted?71. Why are the 46th and the 47th bit significant in Ethernet MAC address?72. Why can't I upload an IOS image on to my flash on my 2500 router?73. How do I configure my router so it becomes a DHCP CLIENT?74. Does my Cisco terminal server send a BREAK signal on reboot?75. How do I access the Console port on an AccessPro (AP-EC) card?76. How do you setup a simple Priority Queuing?77. What are the pro's and con's of using two ISP/BGP providers?78. How do I tell the difference between the differen 2900 XL switches?79. How do I suppress the transmission of PPP frames from when dialing in?80. Where can I get mzmaker to compress my IOS?81. What is the meaning of in/out in reference to an access-list?82. How do I remove the /32 - host - route when a PPP link comes up?83. How do I forward DHCP broadcasts to my DHCP server?84. How do I use the ip-helper command to facilitate DHCP use?85. How do I send L2 traffic through a tunnel?86. How do I sort my IP Addresses using Unix tools??87. Why is measuring collisions meaningless endeavour?88. How do I stop password-recovery on my routers?89. How do I setup a Multilink PPP?90. How do I setup ppp callback with dialer-pool?91. My configs are too large. What can I do?92. What does Frame-relay LMI and Encapsulation really do/mean?93. How do I make a T1 Cross-over cable?94. Can I use a router to simulate BRI switch? (Also see question 101)95. How do I use Policy Based Routing?96. How do I setup a VPN tunnel using pre-shared keys?97. Why does one packet always get dropped on the last hop of traceroute?98. How to setup NAT'ing based on outgoing interface to two different ISPs.99. How do I use IPX over DDR?100. How can I automatically ping a range of IP addresses in Wintel world? See also question 115.101. Sample config of using VIC BRI interfaces as an ISDN switch.102. How do I do X25 over ISDN D channel?103. What can I do to remove SAP Type 640 on my routers?104. What kind of memory does the 2500 use?105. How do I make an Ethernet Cross-over cable?106. How do I use NBAR to block NIMDA?107. What is a FECN/BECN and does it mean anything?

108. How do I stop logging (and generating snmp trap) for up/down interfaces?109. How do I setup the variables to do tftpdnld in rommon?110. How do I get the memory-usage on the Vip-Card111. What is the order of operation in terms how a packet is processed?112. What are the differnt T1 jack type codes?113. How do I show just one interface's configuration?114. How can I search CCO for IS-IS related information?115. How can I script a network reachability test? See also question 100.116. How can I access the console port on my MSFC in my 6500?117. How do I access my MSFC/Router in my 6509?118. Where can I find a list of undocumented IOS commands?119. Where can I find information on securing or hardening Cisco routers?120. How can I connect two Cisco routers back to back through the AUX ports?121. How do I use Secure Shell (SSH) on Cisco devices?122. Can I use a /31 address space for my serial point-to-point interfaces?133. How do i see log messages on the router console?134. What is my overhead of using IPSec135. What is the pinout for the DB9 to RJ45 connector?136. Should I use a T1, Cable modem or DSL for Internet connections?137. How do I change the time length of 15 mins that is used when displaying the Show ISDN history command?138. Why do I see "double" characters when I telnet into my router?139. How do I see power-supply failures via SNMP?140. How do I change the timer for tx/rxload when doing "show int" command?141. How do I setup SLIP on my Cisco terminal servers?142. How do I setup FR End-to-End keepalives?143. What basic information do I need to setup a T1 from my ISP?144. How do I setup NAT and Port forwarding?145. Where can I buy some Back-to-Back serial cables?146. How can I policy-route router generated packets?147. Is there another way to upload my IOS w/o a tftp server?148. What does the keyword EXTENDABLE mean when doing NAT?149. Where can I get some third party icons for my Visio program?150. Can you help me interpret the output fomr "Looking Glass" (BGP?)151. When using Tunnel with an interface that has an ACL, what happens?152. Do I need a Xover cable when using 1000Base-T?153. How dow I break the "Rule of Ten" for BGP Load balancing?154. How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?

todo:[Update the Todo section. How ironic!]

Actual content.

**************************************************************************

From: Question 0.1Date: 10 February 2002Subject: Where can I obtain/View the FAQAnswer by: N/A

A. You can use any Usenet (Newsgroup) reader to read comp.dcom.sys.cisco or alt.certification.ciscoB. http://www.networkingunlimited.com/CiscoFAQ.htmlC. http://www.evolutiontechnical.com/cisco-faq/index.htmD. http://mrubino.com:8080/cdsc-faq

**************************************************************************

From: Question 1Date: 31 October 1994Subject: How can I contact cisco?

Corporate address:

cisco Systems 170 West Tasman Drive San Jose, CA 95134

The following phone numbers are available:

Technical Assistance Center (TAC) +1 800 553 2447 (553 24HR) +1 800 553 6387 +1 408 526 8209 Customer Service (Documentation, Warranty & +1 800 553 6387 Contract Services, Order Status Engineering +1 800 553 2447 (553 24HR) On-site Services, Time & Materials Service +1 800 829 2447 (829 24HR) Corporate number / general +1 408 526 4000 Corporate FAX (NOT tech support) +1 408 526 4100

The above 800 numbers are US/Canada only.

cisco can also be contacted via e-mail:

tac@cisco.com Technical Assistance Center tac-euro@cisco.com European TAC cs-rep@cisco.com Literature and administrative (?) requests cs@cisco.com *UNRELIABLE*, special-interest, ``non-support''

Please follow the directions available on CIO before doing this.cisco provides an on-line service for information about their routersand other products, called CIO (cisco Information Online). telnet tocio.cisco.com for more details.

The collective experience of this FAQ indicates that it is far wiser toopen a case using e-mail than FAXes, which may be mislaid, shredded,etc.

For those of you still in the paperfull office (unlike the rest of us),cisco Systems' new corporate address is:

170 West Tasman Drive San Jose, CA 95134

Mail to tac@cisco.com should include your service contract number, your name,telephone number, a brief one line problem/question description, and acase priority in the first 5 lines. For example:

Cisco service contract number 92snt1234a First and last name Jane Doe Best number to contact you 415-555-1234 Problem/question description Cannot see Appletalk zones

Case Priority 3

CASE PRIORITIES are defined as one of the following:

Pri 1 Production network down, critical business impact Pri 2 Production net seriously degraded, serious impact Pri 3 Network degraded, noticeable impact to business Pri 4 General information, non production problems

**************************************************************************

From: Question 2Date: 26 July 1994Subject: What is this newsgroup?

comp.dcom.sys.cisco, which is gatewayed to the mailing listcisco@spot.colorado.edu, is a newsgroup for discussion of ciscohardware, software, and related issues. Remember that you can alsoconsult with cisco technical support.

This newsgroup is not an official cisco support channel, and shouldnot be relied upon for answers, particularly answers from ciscoSystems employees.

Until recently, the mailing list was gatewayed into the newsgroup,one-way. It is possible that this arrangement may resume at somet timein the future.

**************************************************************************

From: Question 3Date: 31 October 1994Subject: What does ``cisco'' stand for?

cisco folklore time:

At one point in time, the first letter in cisco Systems was alowercase ``c''. At present, various factions within the company haveadopted a capital ``C'', while fierce traditionalists (as well as someothers) continue to use the lowercase variant, as does the ciscoSystems logo. This FAQ has chosen to use the lowercase variantthroughout.

cisco is not C.I.S.C.O. but is short for San Francisco, so the storygoes. Back in the early days when the founders Len Bosack and SandyLerner and appropriate legal entities were trying to come up with aname they did many searches for non similar names, and always came upwith a name which was denied. Eventually someone suggested ``cisco''and the name wasn't taken (although SYSCO may be confusingly similarsounding). There was an East Coast company which later was using the``CISCO'' name (I think they sold in the IBM marketplace) they endedup having to not use the CISCO abberviation. Today many people spellcisco with a capital ``C'', citing problems in getting the lowercase``c'' right in publications, etc. This lead to at least one amusingarticle headlined ``Cisco grows up''. This winter we will celebrateour 10th year.

[This text was written in July of 1994 -jhawk]

**************************************************************************

From: Question 4Date: 31 October 1994Subject: How do I save the configuration of a cisco?

If you have a tftp server available, you can create a file on theserver for your router to write to, and then use the write networkcommand. From a typical unix system:

mytftpserver$ touch /var/spool/tftpboot/myconfig mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig

myrouter#write net Remote host [10.7.0.63]? 10.7.0.2 Name of configuration file to write [myrouter-confg]? myconfig Write file foobar on host 10.7.0.2? [confirm] y

Additionally, there's a Macintosh TFTP server available:

ftp://nic.switch.ch/software/mac/peterlewis/tftpd-100.sit.hqx

Additionally, you can also use expect, available from:

ftp://ftp.uu.net/languages/tcl/expect/expect.tar.gz ftp://ftp.cme.nist.gov/expect/expect.tar.gz

or, in shar form from ftpeng.cisco.com.

Expect allows you to write a script which telnets to the router andperforms a ``write terminal'' command, or any other arbitrary set ofcommand(s), using a structured scripting language (Tcl).

**************************************************************************

From: Question 5Date: 5 July 1994Subject: Where can I get ancillary software for my cisco?

Try ftping to

ftp://ftpeng.cisco.com/pub

It's a hodgepodge collection of useful stuff, some maintained and somenot. Some is also available from

ftp://cio.cisco.com

Vikas Aggarwal has a very customised tacacsd:

A new version of xtacacsd is available via anonymous FTP from:

ftp://ftp.navya.com/pub/vikas/xtacacsd-3.5.shar.gz

**************************************************************************

From: Question 6Date: 28 April 1996Subject: Is there a World-Wide-Web (www) information source?

You can try the WWW page for this FAQ:

http://www.panix.com/cisco-faq/

or the cisco Educational Archive (CEA) home page:

http://sunsite.unc.edu/cisco/cisco-home.html

or the cisco Information Online (CIO) home page:

http://www.cisco.com/

**************************************************************************

From: Question 7Date: 5 July 1994Subject: How can I get my cisco to talk to a third party router over a serial link?

You need to tell your cisco to use the same link-level protocol as theother router; by default, ciscos use a rather bare variant of HDLC(High-level Data Link Control) all link-level protocols use at somelevel/layer or another. To make your cisco operate with most otherrouters, you need to change the encapsulation from HDLC to PPP on therelevant interfaces. For instance:

sewer-cgs#conf t Enter configuration commands, one per line. Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z interface serial 1 encapsulation ppp ^Z

sewer-cgs#sh int s 1 Serial 1 is administratively down, line protocol is down Hardware is MCI Serial MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec)^^^^^^^^^^^^^^^^^^^^^^^^^^[...]

If you're still having trouble, you might wish to turn on serial interfacedebugging:

sewer-cgs#ter mon sewer-cgs#debug serial-interface

**************************************************************************

From: Question 8Date: 27 July 1994Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?

You should tell your cisco to use ``encapsulation frame-relay ietf''(instead of ``encapsulation frame-relay'') on your serial interfacethat's running frame relay if your frame relay network contains adiverse set of manufacturers' routers. The keyword ``ietf'' specifies

that your cisco will use RFC1294-compliant encapsulation, rather thanthe default, RFC1490-compliant encapsulation (other products, notablyNovell MPR 2.11, use a practice sanctioned by 1294 but deemed verbottenby 1490, namely padding of the nlpid). If only a few routers in yourframe relay cloud require this, then you can use the defaultencapsulation on everything and specify the exceptions with theframe-relay map command:

frame-relay map ip 10.1.2.3 56 broadcast ietf ^^^^

(ietf stands for Internet Engineering Task Force, the body whichevaluates Standards-track RFCs; this keyword is a misnomer as bothRFC1294 and RFC1490 are ietf-approved, however 1490 is most recent andis a Draft Standard (DS), whereas 1294 is a Proposed Standard (one stepbeneath a DS), and is effectively obsolete).

**************************************************************************

From: Question 9Date: 26 July 1994Subject: How can I use debugging?

The ``terminal monitor'' command directs your cisco to send debuggingoutput to the current session. It's necessary to turn this on each timeyou telnet to your router to view debugging information. After that,you must specify the specific types of debugging you wish to turn on;please note that these stay on or off until changed, or until therouter reboots, so remember to turn them off when you're done.

Debugging messages are also logged to a host if you have trap loggingenabled on your cisco. You can check this like so:

sl-panix-1>sh logging Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 66 messages logged Monitor logging: level debugging, 0 messages logged Trap logging: level debugging, 69 message lines logged Logging to 198.7.0.2, 69 message lines logged sl-panix-1>

If you have syslog going to a host somewhere and you then set about anice long debug session from a term your box is doing double work andsending every debug message to your syslog server. Additionally, if youturn on something that provides copious debugging output, be carefulthat you don't overflow your disk (``debug ip-rip'' is notorious forthis).

One solution to this is to only log severity ``info'' and higher:

sl-panix-1#conf t Enter configuration commands, one per line. End with CNTL/Z. logging trap info

The other solution is to just be careful and remember to turn offdebugging. This is easy enough with:

sl-panix-1#undebug all

If you have a heavily loaded box, you should be aware that debuggingcan load your router. The console has a higher priority than a vty sodon't debug from the console; instead, disable console logging:

cix-west.cix.net#conf t Enter configuration commands, one per line. End with CNTL/Z. no logging console

Then always debug from a vty. If the box is busy and you are a littletoo vigorous with debugging and the box is starting to sink, quicklyrun, don't walk to your console and kill the session on the vty. Ifyou are on the console your debugging has top prioority and then theonly way out is the power switch. This of course makes remotedebugging a real sweaty palms adventure especially on a crowded box.Caveat debugger!

Also, if you for some reason forget what the available debug commandsare and don't have a manual handy, remember that's what on-line helpis for. Under pre 9.21 versions, ``debug ?'' lists all commands. Under9.21 and above, that gives you general categories, and you can checkfor more specific options by specifying the category: ``debug ip ?''.

As a warning, the ``logging buffered'' feature causes all debugstreams to be redirected to an in-memory buffer, so be careful usingthat.

Lastly, if you're not sure what debugging criteria you need, you cantry ``debug all''. BE CAREFUL! It is way useful, but only in a verycontrolled environment, where you can turn off absolutely everythingyou're not interested in. Saves a lot of thinking. Turning it on ona busy box can quickly cause meltdown.

**************************************************************************

From: Question 10Date: 5 July 1994Subject: How can I use NTP (Network Time Protocol) with my cisco?

>What level of software is required for NTP support in>a cisco router?

9.21 or above.

>Which cisco routers support NTP?

It is a software feature exclusively. Anything that supports9.21 or 10 will run NTP (when running that s/w).

>How do I set it up?

The basic hook is: ntp server <host> [version n]or ntp peer <host> [version n]

depending on whether you want a client/server or peer relationship.There's a bunch of other stuff available for MD5 authentication,broadcast, access control, etc. You can also use thecontext-sensitive help feature to puzzle it out; try ``ntp ?'' in

config mode.

You'll also want to play with the SHOW NTP * router commands. Hereare two examples.

EXAMPLE 1:

router# show ntp assoc

address ref clock st when poll reach delay offset disp+~128.9.2.129 .WWVB. 1 109 512 377 97.8 -2.69 26.7*~132.249.16.1 .GOES. 1 309 512 357 55.4 -1.34 27.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

EXAMPLE 2:

router#show ntp statClock is synchronized, stratum 2, reference is 132.249.16.1nominal freq is 250.0000 Hz, actual freq is 249.9981 Hz, precision is 2**19reference time is B1A8852D.B69201EE (12:36:13.713 PDT Tue Jun 14 1994)clock offset is -1.34 msec, root delay is 55.40 msecroot dispersion is 41.29 msec, peer dispersion is 28.96 msec

For particular cisco NTP questions, feel free to ask in comp.dcom.sys.cisco.

For broader NTP info, see ftp://louie.udel.edu:pub/ntp/doc. The fileclock.txt in that directory has info about various public NTP servers.There is also information on radio time receivers that can beconnected to an NTP server (this is handy on private networks, if youhave an entire campus to get chiming, or if you become a hard corechimer).

The ``ntp clock-period'' command is added automagically to jump-startthe NTP frequency compensation when the box is rebooted. This isessentially a representation of the frequency of the crystal used asthe local timebase, and may take several days to calculate otherwise.(Do a ``write mem'' after a week or so to save a good value.)

Caveat of obsolecence: Note that the CS-500 will not be able toachieve quite the same level of accuracy as other platforms, since itshardware clock resolution is roughly 242Hz instead of the 1MHzavailable on other platforms. In practice this shouldn't matter foranyone other than true time geeks.

**************************************************************************

From: Question 11Date: 5 July 1994Subject: Sample cisco NTP Configurations

You will need to substitute your own NTP peers, timezones, and GMToffsets into the examples below, of course. Example 1 is in US CentralTime Zone, while example 3 is in US Pacific Time Zone. Both accountfor normal US Daylight Savings Time practices.

EXAMPLE 1 (Charley Kline):...clock timezone CST -6clock summer-time CDT recurring

ntp source eth 0ntp peer <host1>ntp peer <host2>ntp peer <host3>...

EXAMPLE 2 (Tony Li):...ntp source Ethernet0/0ntp update-calendarntp peer <host1> ntp peer <host2> prefer...

EXAMPLE 3 (Dave Katz):...service timestamps debug datetime localtimeservice timestamps log datetime localtimeclock timezone PST -8clock summer-time PDT recurringinterface Ethernet0ip address <mumble>ntp broadcastntp clock-period 17180319ntp source Ethernet0ntp server <host1>ntp server <host2>ntp server <host3>

COMMENTS ON EXAMPLE 3: The config file is commented with date and time (and user id,if TACACS is enabled) when the system thinks the clock is accurate.I've enabled timestamping of debug and syslog messages. I send NTPbroadcast packets out onto the local ethernet. I'm in PacificStandard Time, with U.S. standard daylight saving time rules. I usethe IP address of the ethernet as the source for all NTP packets.

**************************************************************************

From: Question 12Date: 5 July 1994Subject: How do I avoid the annoying DNS lookup if I have misspelled a command? By default, all lines are configured to automatically try a telnetconnection if the first word in a input line is not recognized as avalid command. You can disable this by setting ``transport preferrednone'' on every line (con, aux and vty). For instance:

sl-panix-1#conf t Enter configuration commands, one per line. End with CNTL/Z. line vty 0 10 transport preferred none

You can see the number of vty's currently configuered with ``show lines''

Also, you can suspend connect attempts with ^^ followed by ``x'', ieshift-cntrl-6 x.

[It has been suggested that ``no ip ipname-lookup'' to turn off IEN116helps. I think this is the default -jhawk ] **************************************************************************

From: Question 13Date: 31 Oct 1994Subject: Tracing bad routing information

or: How do I find out which non-cisco systems on my networks generate IP-RIP information without letting them mess up my routing tables. Here you could work with a default administrative distance.Administrative distance is the basis upon which the cisco prefersrouting information of one protocol over another. In this example:

router rip network 192.125.254.0 distance 255 distance 120 192.125.254.17 ! list all valid RIP suppliers [...]

the value 255 has the implicit meaning of not putting this informationinto the routing table. Therefore, setting an administrative distanceof 255 means that all RIP suppliers are by default accepted but theirinformation is not put into the routing table. The administrativedistance for the router 192.125.244.17 has been reset to the default(for RIP) of 120, causing its routes to be accepted into the routing table.

Then you can look them up with ``show ip protocols'' and restore theoriginal administrative distance for the ones you want to fill in therouting table.

The same results can be acheived with an ip access-list, but withthat, ``show ip protocols'' will only show the valid ones. But oftenit is more useful to see which systems were generating routinginformation at all.

This trick works for other routing protocols as well, but please selectthe proper adminstrative distance (rather than 120) for the protocolyou're using.

**************************************************************************

From: Question 14Date: 5 July 1994Subject: How to use access lists

[The following is wholesale included; at some point it'llprobably be editted a bit and reformatted... -jhawk ]

Frequently Asked Questions contributed by Howard C. Berkowitz PSC International hcb@world.std.com @clark.net [probably will be my permanent personal account]

PSC's domain is in mid-setup

Where in the router are access lists applied?

In general, Basic access lists are executed as filters onoutgoing interfaces. Newer releases of the cisco code, such as9.21 and 10, do have increased ability to filter on incoming ports.Certain special cases, such as broadcasts and bridged traffic,can be filtered on incoming interfaces in earlier releases.There are also special cases involving console access.

Rules, written as ACCESS-LIST statements, are global for the entirecisco box; they are activated on individual outgoing interfaces byACCESS-GROUP subcommands of the INTERFACE major command. Filters are applied after traffic has entered on an incominginterface and gone through a routing process; traffic that originates ina router (e.g., telnets from the console port) is not subject tofiltering.

+-------------------+ | GLOBAL | | | | Routing | | ^ v Access | | ^ v Lists | +-^--v--------^---v-+ | ^ v ^ v | | ^ v ^ v |A----------->|-| |>>>>Access >>----------->B |1 Group 2 |<------------| |<----------- | | | | +-------------------+

Some types of ``filter,'' using ``filter'' as a broader class thanACCESS-LIST, can operate on incoming traffic. For example, the INPUT-SAP-FILTER used for Novell networks is applied to Service AdvertisementPackets (SAP) seen at incoming interfaces. In general, incomingfiltering can only be done for ``system'' rather than user traffic.

Rules of thumb in defining access lists.

First, define what you want to do and in which directions. Aninformal drawing is a good first step. As opposed to the usualconnectivity drawings among routers, it's often convenient to drawunidirectional links between routers. Second, informally write out your filtering rules. In general, itis best to go from most specific to least specific. Modify the order ofwriting things to minimize the number of rules needed. Third, determine which rules need to be on which routers.Explicitly consider the direction of flow, and the possible existence ofadditional paths that could inadvertently bypass a filter.

Can a cisco router be a ``true'' firewall?

This depends on the definition of firewall. Some writers (e.g.,Gene Spafford in _Practical UNIX Security_) define a firewall as ahost on which an ``inside'' and/or an ``outside'' application process run,

with application-level code linking the two. For example, a firewallmight provide FTP access to the outside world, but it would not alsoprovide direct FTP service to the inside world. To place a file onthe FTP external server, a designated user would explicitly log ontothe FTP server, transfer a file to the server, and log off. Thefirewall prevents direct FTP connectivity between the inside andoutside networks; only indirect, application-level connectivity isallowed. Firewalls of this sort are complemented by chokes, which filter onnetwork addresses and/or port numbers. Cisco routers cannot doapplication-level control with access control lists. Other authors do not distinguish between chokes and filters. Usingthe loose definition that a firewall is anything that selectively blocksaccess from the inside to the outside, routers can be firewalls.

IP Specific-----------

Can the ``operand'' field be used with a protocol keyword of IP to filteron protocol ID?

No. Operand filtering only works for TCP and UDP port numbers.

How can I prevent traffic for a certain Internet application to flow inone direction but not the other?

Remember that Internet applications flow from client port to serverport. Denying traffic from port 23, for example, blocks flow from theclient to the server.

+-------------------+ | |A----------->| |----------->B |1 2|<------------| |<----------- | | +-------------------+

If we deny traffic to Port 23 of address B by placing a filter atinterface 2, we have blocked A's ability to telnet to B, but not B'sability to telnet to A. A second filter at interface A would be neededto block telnet in both directions. Assume that we only have the filter at interface 2. Telnets to Afrom B will not be affected because the filter at 2 does not checkincoming traffic.-------

With the arrival of in-bound access lists in 9.21, it should be notedthat both inbound and access lists are about equally efficient, incase any of you were wondering.

It's worth remembering that there are some kinds of problemsthat packet-filtering firewalls are not best suited for. There'sreasonably good information in:

"Network (in)security through packet filtering"ftp://ftp.greatcircle.com/pub/firewalls/pkt_filtering.ps.Z

**************************************************************************

From: Question 15Date: 26 July 1994Subject: The cisco boot process

What really happens when a cisco router boots, from boot start to liveinterfaces? First it boots the ROM os version. It reads the config. Now, itrealizes that you want to netboot. It loads the netbooted copy in ontop of itself. It then re-initializes the box and re-reads theconfig. Manly, yes, but we like it too....

[[ Ummm... in particular it loads the netbooted copy in as WELL asitself, decompresses it, if necessary, and THEN loads on top ofitself. Note that this is important because it tells you what thememory requirements are for netbooting: RAM for ROM image (if it's arun from RAM image), plus dynamic data structures, plus RAM fornetbooted image. ]] The four ways to boot and what happens (sort of): I (from bootstrap mode) The ROM monitor is running. The I command causes the ROM monitor towalk all of the hardware in the bus and reset it with a brute forcehammer. If the bits in the config register say to auto-boot, thengoto B B (from bootstrap mode) Load the OS from ROM. If a name is given, tell that image to startsilently and then load a new image. If the boot system command isgiven, then start silently and load a new image. powercycle Does some delay stuff to let the power settle. Goto I. reload (from the EXEC)Goto I.

**************************************************************************

From: Question 16Date: 18 July 1994Subject: Where can I get cisco hardware?

Try calling 800-553-NETS and asking for your local sales office.That's probably the best plan.

**************************************************************************

From: Question 17Date: 18 April 1995Subject: Where can I get IETF documents (RFCs, STDs, etc.)?

Where and how to get new RFCs

RFCs may be obtained via EMAIL or FTP from many RFC Repositories. ThePrimary Repositories will have the RFC available when it is firstannounced, as will many Secondary Repositories. Some SecondaryRepositories may take a few days to make available the most recentRFCs.

Primary Repositories:

RFCs can be obtained via FTP from DS.INTERNIC.NET, NIS.NSF.NET,NISC.JVNC.NET, FTP.ISI.EDU, WUARCHIVE.WUSTL.EDU, SRC.DOC.IC.AC.UK,FTP.CONCERT.NET, or FTP.SESQUI.NET.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Secondary Repositories:

Sweden------ Host: sunic.sunet.se Directory: rfc

Host: chalmers.se Directory: rfc

Germany------- Site: EUnet Germany Host: ftp.Germany.EU.net Directory: pub/documents/rfc

France------ Site: Institut National de la Recherche en Informatique et Automatique (INRIA) Address: info-server@inria.fr Notes: RFCs are available via email to the above address. Info Server manager is Mireille Yamajako (yamajako@inria.fr).

Netherlands----------- Site: EUnet Host: mcsun.eu.net Directory: rfc Notes: RFCs in compressed format.

France------ Site: Centre d'Informatique Scientifique et Medicale (CISM)

Contact: ftpmaint@univ-lyon1.fr Host: ftp.univ-lyon1.fr Directories: pub/rfc/* Classified by hundreds pub/mirrors/rfc Mirror of Internic Notes: Files compressed with gzip. Online decompression done by the FTP server.

Finland------- Site: FUNET Host: funet.fi Directory: rfc Notes: RFCs in compressed format. Also provides email access by sending mail to archive-server@funet.fi.

Norway------ Host: ugle.unit.no Directory: pub/rfc

Denmark------- Site: University of Copenhagen Host: ftp.denet.dk Directory: rfc

Australia and Pacific Rim-------------------------

Site: munnari Contact: Robert Elz <kre@cs.mu.OZ.AU> Host: munnari.oz.au Directory: rfc rfc's in compressed format rfcNNNN.Z postscript rfc's rfcNNNN.ps.Z

United States-------------

Site: cerfnet Contact: help@cerf.net Host: nic.cerf.net Directory: netinfo/rfc

Site: NASA NAIC Contact: rfc-updates@naic.nasa.gov Host: naic.nasa.gov Directory: files/rfc

Site: NIC.DDN.MIL (DOD users only) Contact: NIC@nic.ddn.mil Host: NIC.DDN.MIL Directory: rfc/rfcnnnn.txt Note: DOD users only may obtain RFC's via FTP

from NIC.DDN.MIL. Internet users should NOT use this source due to inadequate connectivity. Site: uunet Contact: James Revell <revell@uunet.uu.net> Host: ftp.uu.net Directory: inet/rfc

UUNET Archive-------------

UUNET archive, which includes the RFC's, various IETF documents, and other information regarding the internet, is available to the public via anonymous ftp (to ftp.uu.net) and anonymous uucp, and will be available via an anonymous kermit server soon. Get the file /archive/inet/ls-lR.Z for a listing of these documents.

Any site in the US running UUCP may call +1 900 GOT SRCS and use the login "uucp". There is no password. The phone company will bill you at $0.50 per minute for the call. The 900 number only works from within the US.

**************************************************************************

From: Question 18Date: 22 April 1996Subject: Future features in cisco software

[This could be more fleshed out (still!)]

Kerberos and RADIUS in 11.1RIP version 2 in 11.1 (allows VSM, etc.)Policy-based routing (routing based on source address or interface, or justabout anything else you want) in 11.0 *released*PPP Multilink in 11.0(3) *released*Frame Relay payload compression in 11.0(4) *released*IPX Per-Host load balancing in 11.1

**************************************************************************

From: Question 19Date: 27 July 1994Subject: How do cisco routers rate performance-wise?

People often ask about performance of the cisco routers and are shyedaway from answering their questions because we don't know where to sendthem.

Scott Bradner keeps the results of his performance tests on theInternet. You can find them for ftp on the system hsdndev.harvard.eduin the /pub/ndtl. There is a README file in that directory thatexplains what is available. In addition, cisco has just startedpublishing a piece of literature called ``The Harvard Benchmark TestResults: Summary of cisco Systems Performance''. The only number Ican find on the doc is Lit. #700901. Don't know if you can order itby this number, but at least there's a title to go on.

**************************************************************************

From: Question 20Date: 22 April 1996Subject: How are packets switched?

There are 3 basic types of switching (in order of increasing performance).

process switching fast switching autonomous switching

Process and fast switching support inbound and outbound, simple andextended, access lists. Of course, for fast switching, such lists onlyrestrict traffic on the particular fast-switched interface.

Autonomous switching is done in the switch processor, a microcoded device thatis capable of switching IP, IPX, and bridging packets in the 100kpps range.This is known as the "SP" card on the 7000 and the CBUS controller on the AGS+.Encapsulation support is rather limited (Ethernet, HDLC, HSSI...).

The cisco 7000 also supports:

silicon switching

Silicon switching is done in the silicon switching engine (creative, eh? ;-).

The silicon switch processor (SSP) is the board which combines both theswitch processor and a silicon switching engine.

The SSP supports simple and extended outbound access lists in 10.3 and later.The SSP supports simple and extended inbound access lists in 11.1 and later.

The cisco 75xx series supports:

"optimal" switching (cruddy name, eh?)"flow" switching"distributed" switching

* "optimal" switching (cruddy name, eh?)

The 7500 platform does not have a separate SP or SSP card, rather the RISCprocessor on the "integrated route/switch processor card (IRSP)" handlesswitching directly, similar to the 4000 series routers. There are severalhardware and software enhancements made though to increase the throughput toa level that is several times above what you would normally get from "fast"switching. Everything that "fast" switching supports is supported in"optimal" switching.

* "flow" switching

Basicly the "optimal" switching method, however things have been front-endedwith an additional small "flow" cache. This flow cache contains informationabout source/destination addresses & ports which allow the router to make moreinformed queueing decisions and process access lists faster. This is a win inrouters that would tend to carry a reasonably small number of flows at any onetime, such as what you would expect in a corporate network or in a smallerinternet service provider network. It's unclear if there are any advantagesin a large internet backbone.

* "distributed" switching

cisco has announced a new type of interface-processor card, called a "VIP"available in the 7500 platform that is intelligent enough to switch packetswith no intervention on the part of the IRSP card. This once again separatesswitching from routing, as in the earlier CBUS/SP/SSP design.

The first packet of every session or connection is always Process Switched.The route table is consulted (this resides in DRAM on the CPU) and the"result" is cached in the system memory cache. If the protocol can only beprocess switched, then it will continue this way and interrupt the CPU for aroute table lookup each time. [comment: Process Switching is brutally slowcompared to other switching methods. Some features (usually new features dothis for the first few software releases) force every packet to be processswitched. If you can't avoid process-switching every packet, at least get arouter with a fast CPU, such as the 75xx, 4500, and 4700. The 4700 iscurrently the fastest at process-switching packets, with the 4500 and 75xxtied for second. The 75xx can optimum-switch, however, so it's a lot fasterthan either of the 4x00s, if you can use it).

The second and subsequent packets of each session are capable of being FastSwitched (more session types are becoming fast-switchable), and will consultonly the route-cache. This still involves a memory lookup on the board, butthe packet can be transferred from the source card directly to thedestination card without requiring full storage on the CSC [the CSC refersto the CPU card, basically].

There are some undocumented commands that are useful for obtainingper-interface statistics on what sort of switching was performed.

For instance:

frobozz-magic-robot>sh int atm4/0 switchATM4/0 Throttle count: 0 Protocol Path Pkts In Chars In Pkts Out Chars Out IP Process 104851 7669968 116378 11180988 Cache misses 35826 Fast 0 0 0 0 Auton/SSE 0 0 0 0frobozz-magic-robot>sh int atm4/0 statATM4/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 105024 7679155 116422 11184108 Route cache/FIB 0 0 0 0 Distributed cache 0 0 0 0 Total 105024 7679155 116422 11184108

**************************************************************************

From: Question 21Date: 31 October 1994Subject: How does one interpret buffer statistics?

Buffer statistics may be obtained with:

mit2-gw.near.net>sh buffers Buffer elements: 433 in free list (500 max allowed)

82320311 hits, 0 misses, 0 created Small buffers, 104 bytes (total 202, permanent 120): 185 in free list (20 min, 250 max allowed) 34289219 hits, 4297 misses, 1307 trims, 1389 created Middle buffers, 600 bytes (total 104, permanent 90): 102 in free list (10 min, 200 max allowed) 6829533 hits, 1432 misses, 483 trims, 497 created Big buffers, 1524 bytes (total 90, permanent 90): 90 in free list (5 min, 300 max allowed) 3403884 hits, 56 misses, 1 trims, 1 created Large buffers, 5024 bytes (total 5, permanent 5): 5 in free list (0 min, 30 max allowed) 49984 hits, 13 misses, 20 trims, 20 created Huge buffers, 18024 bytes (total 0, permanent 0): 0 in free list (0 min, 4 max allowed) 0 hits, 0 misses, 0 trims, 0 created 5683 failures (0 no memory)

You can interpret them:

Total Number of buffers of that size that exist.

Free Number of free buffers.

Max Maximum size that the free list can grow to before we start throwing them away.

Hit Buffer got used.

Miss Someone requested a buffer and we had to go carve it up out of free memory. If we couldn't because we were at interrupt level, it's also an allocation failure. If we couldn't because we were out of memory, then it's also a ``no memory'' failure.

Trim There are more free buffers on the free list than there need to be and we threw some away.

Create Number of buffers we created after a miss.

**************************************************************************

From: Question 22Date: 22 April 1996Subject: How should I restrict access to my router?

Many admins are concerned about unauthorized access to their routersfrom malicious people on the Internet; one way to prevent thisis to restrict access to your router on the basis of IP address.

Many people do this, however it should be noted that a significant numberof network service providers allow unrestricted access to their routersto allow others to debug, examine routes, etc. If you're comfortable doingthis, so much the better, and we thank you!

If you wish to restrict access to your router, select a free IP accesslist (numbered from 1-100) -- enter ``sh access-list'' to see thosenumbers in use.

yourrouter#sh access-list Standard IP access list 5 permit 192.94.207.0, wildcard bits 0.0.0.255

Next, enter the IP addresses you wish to allow access to your routerfrom; remember that access lists contain an implicit "deny everything"at the end, so there is no need to include that. In this case, 30is free:

yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255 yourrouter(config)#^Z

(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*).Enter multiple lines for multiple addresses; be sure that you don'trestrict the address you may be telnetting to the router from.

Next, examine the output of ``sh line'' for all the vty's (Virtual ttys)that you wish to apply the access list to. In this example, I wantlines 2 through 12:

yourrouter#sh line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns 0 CTY - - - - - 0 0 0/0 1 AUX 9600/9600 - - - - - 1 3287605 1/0 * 2 VTY 9600/9600 - - - - 7 55 0 0/0 3 VTY 9600/9600 - - - - 7 4 0 0/0 4 VTY 9600/9600 - - - - 7 0 0 0/0 5 VTY 9600/9600 - - - - 7 0 0 0/0 6 VTY 9600/9600 - - - - 7 0 0 0/0 7 VTY 9600/9600 - - - - 7 0 0 0/0 8 VTY 9600/9600 - - - - 7 0 0 0/0 9 VTY 9600/9600 - - - - 7 0 0 0/0 10 VTY 9600/9600 - - - - 7 0 0 0/0 11 VTY 9600/9600 - - - - - 0 0 0/0 12 VTY 9600/9600 - - - - - 0 0 0/0

Apply the access list to the relevant lines:

yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#line 2 12 yourrouter(config-line)# access-class 30 in yourrouter(config-line)# ^Z

(This apply access list 30 to lines 2 through 12. It's important torestrict access to the aux port (line 1) if you have a device (suchas a CSU/DSU) plugged into it.a)

Be sure to save your configuration with ``write mem''.

Please note that access lists for incoming telnet connections do NOTcause your router to perform significant CPU work, unlike access listson interfaces.

**************************************************************************

From: Question 23

Date: 1 November 1994Subject: What can I do about source routing?

What *is* source routing?

Soure routing is an IP option which allows the originator of a packetto specify what path that packet will take, and what path return packetssent back to the originator will take. Source routing is useful when thedefault route that a connection will take fails or is suboptimal for somereason, or for network diagnostic purposes. For more information onsource routing, see RFC791.

Unfortunately, source routing is often abused by malicious users onthe Internet (and elsewhere), and used to make a machine (A), thinkit is talking to a different machine (B), when it is really talking toa third machine (C). This means that C has control over B's ip addressfor some purposes.

The proper way to fix this is to configure machine A to ignoresource-routed packets where appropriate. This can be done for mostunix variants by installing a package such as Wietse Venema,<wietse@wzv.win.tue.nl>,'s tcp_wrapper:

ftp://cert.org:pub/tools/tcp_wrappers

For some operating systems, a kernel patch is required to make thiswork correctly (notably SunOS 4.1.3). Also, there is an unofficialkernel patch available for SunOS 4.1.3 which turns all source routingoff; I'm not sure where this is available, but I believe it was postedto the firewalls list by Brad Powell soimetime in mid-1994.

If disabling source routing on all your clients is not posssible, alast resort is to disable it at your router. This will make you unableto use ``traceroute -g'' or ``telnet @hostname1:hostname2'', bothof which use LSRR (Loose Source Record Route, 2 IP options, the firstof which is a type of source routing), but may be necessary for some.If so, you can do this with

foo-e-0#conf t Enter configuration commands, one per line. End with CNTL/Z. foo-e-0(config)#no ip source-route foo-e-0(config)#^Z

It is somewhat unfortunate that you cannot be selective about this; itdisables all forwarding of source-routed packets through the router,for all interfaces, as well as source-routed packets to the router(the last is unfortunate for the purposes of ``traceroute -g'').

**************************************************************************

From: Question 24Date: 22 April 1996Subject: Is there a block of private IP addresses I can use?

Yes there is, however whether you wish to do so is an issue ofsome debate.

You could consult:

1627 Network 10 Considered Harmful (Some Practices Shouldn't be

Codified). E. Lear, E. Fair, D. Crocker & T. Kessler. June 1994. (Format: TXT 823 bytes)

1918 Address Allocation for Private Internets. Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot & E. Lear. February 1996. (Format: TXT"270 bytes) (Obsoletes RFC1627, RFC1597) (Also BCP0005)

In any event, RFC 1918 documents the allocation of the followingaddresses for use by ``private internets'':

10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255

Most importantly, it is vital that nothing using these addressesshould ever connect to the global Internet, or have plans to do so.Please read the above RFCs before considering implementing sucha policy.

As an additional note, some Internet providers provide network-managementservices, statistics gathering, etc. It is unlikely (if at all possible)that they would be willing to perform those services if you choose toutilize private address space.

With the increasing popularity and reliability of address translationgateways, this practice is becoming more widely accepted. Cisco has acquiredNetwork Translation, who manufacture such a product. It is now available asthe Cisco Private Internet Exchange. With it, you can use any addressing youwant on your private internet, and the gateway will insure that the invalidaddresses are converted before making out onto the global Internet. It alsomakes a good firewall. Information on this product is available athttp://www.cisco.com/warp/public/751/pix/index.html

**************************************************************************

From: Question 25Date: 18 April 1995Subject: Is DHCP supported?

DHCP, the Dynamic Host Configuration Protocol (RFC1533), is essentiallya more extended and flexible version of BOOTP, which allows configurationparameters and other control information to be carried to hosts.

Forwarding of DHCP packets (to a DHCP server elsewhere in the network) issupported in 9.21(4) and 10.0(3), as well as later releases.

**************************************************************************

From: Question 26Date: 18 April 1995Subject: Where can I get cisco documentation?

Cisco no longer distributes printed documentation with their routers;instead, they distribute a CDROM.

Paper documentation may be purchased, however if you purchase asupport contract, documentation is free.

Cisco documentation is also available on the web -- if you have

a fast Internet conneciton this may be more usefulthan the CD. Try:

http://www.cisco.com/univercd/data/doc/product.htm

**************************************************************************

From: Question 27Date: 18 April 1995Subject: What's the latest software for the CSC/3?

The last supported release on the CSC/3 is 9.1(15). ciscodoes not plan to release further software for the CSC/3.

**************************************************************************

From: Question 28Date: 19 May 1995Subject: What IP routing protocol should I use?

This is a really complicated question, and a full answeris beyond the scope of this document. Here are the beginningsof an answer.

Note that Hello is no longer shipped with cisco routers, and that EGP has beendeclared Historical (and thus obsolete) by the IETF. Don't use them.

Protocol RIP HELLO IGRP OSPF EIGRP IS-IS EGP BGP4------------------------------------------------------------------------Type IGP IGP IGP IGP IGP IGP EGP EGPAlgorithm DV DV DV SPF DUAL SPF DV PVMetrics Hopcnt Delay Speed Arb. Speed Arb. Policy PolicyConvergence Slow Unstb Mdt Fast Fast Fast Slow FastStandard? IETF No No IETF No ISO Hist. IETFComplexity Simple Simple Simple Complx Complx Complx Simple ComplxMultipath? Yes Yes Yes Yes Yes Yes Yes [*]Var-netmask? No No No Yes Yes Yes No YES

Notes-----

IGP interior gateway protocol, used to build routing tables within an AS.EGP exterior gateway protocol, used to communicate reachabilityinformation between AS's.

Algorithms----------DUAL DV with diffusing update algorithm (Garcia-Luna-Aceves et al)DV Distance Vector (Bellman-Ford)PV "Path Vector"SPF Shortest-path-first (Dijkstra)

Metrics-------

A metric is how the protocol measures the network to determine the"best" path.

"Speed" refers typically to link speed, not available bandwidth."Arb." indicates that the metrics are arbitrary and configurable.

HELLO tried to use available bandwidth by monitoring round-trip delay,but was not generally successful at this.

Metrics are not directly exchangable when redistributing routinginformation from one protocol to another. IGRP and EIGRP usecompatible and automatically convertable metrics.

Convergence-----------

Qualitatively, convergence measures how fast routers using thisprotocol will adapt to changes in the topology of the network.

"Unstb" indicates a protocol which in general never decided on astable configuration but continually oscillated between alternatives.

Complexity----------

An observation of how complex the protocol is to implement.

Multipath---------

Multipath indicates whether the protocol support and transportmultiple equal- or different- cost pathways across between endpoints?

[*] indicates that BGP4 supports multipath for IBGP (Internal BGP, afull mesh of all border routers within an AS), but not for EBGP(External BGP).

Variable netmask (Var-netmask)**************************************************************************

Indicates whether the protocol allows for and transports differentmasks for the subnets of a routed network.

**************************************************************************

From: Question 29Date: 18 April 1995Subject: How do I interpret the output of ``show version''?

Typing ``show version'' or ``show hardware'' yields a response like:

prospect-gw.near.net>sh version Cisco Internetwork Operating System Software IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]

System-type (imagename) Version major.minor(release.interim)[who] Desc

System-type: type of system the software is designed to run on.imagename: The name of the image. This is different (slightly) for run-from-rom, run-from-flash, and run-from-ram images, and also for subset images which both were and will be more common."Version": text changes slightly. For example, if an engineer gives you a special version of software to try out a bug fix, this will say

experimental version.Major: Major version number. Changes (in theory) when there have been major feature additions and changes to the softare.Minor: minor version number. Smaller but still signficant feature added. (in reality, cisco is not very sure what the difference between "major" and "minor" is, and sometimes politics gets in the way, but either of these "incrementing" indicates feature additions.) EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is the base, 9.14 adds specical feature for low end systems, 9.17 added special features specific the high end (cisco-7000) This was an experiment that we are trying not to repeat.release: increments (1 2 3 4 ...) for each maintenance release of released software. Increments for every compile in some other places.interim: increments on every build of the "release tree", which happens weekly for each release, but is only made into a generically shipping maintenance release every 7 to 8 weeks or so.[who]: who built it. Has "fc 1" or similar for released software. has something like [billw 101] for test software built Bill Westfield (billw@cisco.com).Desc: additional description.

The idea is that the image name and version number UNIQUELY identifya set of sources and debugging information somewhere back at cisco,should anything go wrong.

Copyright (c) 1986-1995 by cisco Systems, Inc. Compiled Thu 09-Mar-95 23:54 by tli Image text-base: 0x00001000, data-base: 0x00463EB0

Copyright, compilation date (and by whom), as well as thestarting address of the image. ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)

The version of ROM bootstrap software, and the version of IOSin ROM. prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes System restarted by reload

How long the router has been up, and why it restarted.

System image file is "sse-current", booted via flash

How the router was booted. RP (68040) processor with 16384K bytes of memory.

Type of processor.

G.703/E1 software, Version 1.0. X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. Bridging software. ISDN software, Version 1.0.

Various software options compiled in.

1 Silicon Switch Processor. 2 EIP controllers (8 Ethernet).

2 FSIP controllers (16 Serial). 1 MIP controller (1 T1). 8 Ethernet/IEEE 802.3 interfaces. 16 Serial network interfaces. 128K bytes of non-volatile configuration memory. 4096K bytes of flash memory sized on embedded flash.

Hardware configuration. Configuration register is 0x102

Lastly, the "configuration register", which may be set viasoftware in current releases...

**************************************************************************

From: Question 30Date: 22 April 1996Subject: What is the maximum number of Frame Relay PVCs?

This is covered fairly thoroughly in Product Info/ProductBulletin/Frame Relay Broadcast Queue, Cisco Product Bulletin # 256,available on CIO.

Via the web (requires CIO username and pasword) http://cio.cisco.com/warp/customer/417/38.html

An excerpt:

(Virtual Interfaces)

It should be noted that in the IOS (Internetworking Operating System) 10.0 software there is a limit of 256 Virtual and physical interfaces. Hence, if each DLCI is given its own virtual interface, the router is limited to 256 DLCIs. This restriction is expected to be removed in a future release. In most scenarios, it is not necessary that each DLCI have its own Virtual Interface. In particular, IP has the facility which allows disabling of split-horizon routing and hence does not require Virtual Interfaces to support partial mesh topologies. (Appendix 1: How many DLCIs Can Cisco Support on an Interface?)

This question is similar to the question of how many PCs can you put on an Ethernet. In general, you can put a lot more than you should given performance and availability constraints. When dimensioning a router in a large network, the following issues should be considered: DLCI Address Space: The only hard limits are the roughly 1000 DLCI limit due to the 10 bit DLCI address space in the Frame Relay frame header. LMI Status Update: The LMI protocol requires that all status reports fit into a single packet and generally limits the number of DLCIs to less than 800.

Max DLCIs (approx) (MTU -20)/5, where MTU is the MTU size in bytes on the Frame Relay link.

Broadcast Replication: When sending, the router must replicate the packet on each DLCI and this causes congestion on the access link. The Broadcast Queue reduces this problem. In general, the network should designed to keep the routing update load to below 20 percent of the access lines speed. It is also important that memory requirements for the Broadcast Queue be considered. A good technique to reduce this restriction is the use of default route or extending the update timers. Broadcast Receipt: When receiving, the router must receive updates from the network. The issue here is that the upstream switch can be overloaded and drop packets. When routing updates are dropped, routing instability occurs. Again, the receiving routing update load should be kept to less than 20 percent of the access link speed and preferably lower. Where very high speed links are used, a limit of 128 Kbit/s worth of routing updates is recommended. Routing Stability: When using a link state protocol to reduce the update traffic, the dimensioning should be done assuming the periodic update process and the worst case for Link State Updates (i.e., assuming link and power instability). Dimensioning should not be based on the Hello traffic. As a rule of thumb, dimension assuming a distance vector protocol, but assume that extra bandwidth is available for user data. User Data Traffic: Clearly, the number of DLCIs is dependent on the traffic on each DLCI and the performance requirements to be met. In general, Frame Relay accesses should be run at lower loads than router-to-router links since the prioritisation capabilities are not as strong in many cases and in general the marginal costs of increasing access link speed are lower than with dedicated lines. Many of the issues covered here are included in the Internet Design Guide manual that Cisco provides.

Update:

The limit of 256 PVCs goes away in IOS 11.1. I think the number is nowsomething like 1024 per router or some even more ludicrous number. There arestill lots of reasons you never want to do that. ;-)The limit of 256 PVCs goes away in IOS 11.1. I think the number is nowsomething like 1024 per router or some even more ludicrous number. There arestill lots of reasons you never want to do that. ;-)

**************************************************************************

From: Question 31Date: 18 April 1995Subject: How much memory is necessary to telnet to a cisco router?

In order to login to a cisco router, it needs to have at least 64kof contiguous free memory.

**************************************************************************

From: Question 32Date: 18 April 1995Subject: Where can I purchase flash RAM?

There are two varieties:

MEM-1X8F 8meg MEM-2X8F 16meg

******************************* 2500 *************************************************************** 8M Flash ********************************PRODUCT# QTY-------- ---MEM-1X8F 1MEM-2X8F 2

Part Number: 16-0975-01 Description: IC,FEPROM, 2Mx32,100ns,SIM80 SC: P REV: A0 S/UM: EA P/UM: EA VENDOR ITM MANUFACTURER'S PART CODE MANUFACTURER'S NAME --- -------------------- ---------- ************************************************************************** 1- 1 SM732C2000B-10 KITTING01 SMART MODULE

Smart Modular is located in Freemont, California.

For small orders, Smart Modular recommends you contact:

PC Complete800-849-4622.

They carry both Flash RAM and DRAM.

**************************************************************************

From: Question 32Date: 19 May 1995Subject: When are static routes redistributed?

In the simple case, any static route *in the routing table* isredistributed if the ``redistribute static'' command is used, and somefilter (set with either ``route-map'' or ``distribute-list out'')doesn't filter it out.

Whether the static route gets into routing table depends on:

Whether the next hop address is reachable (if you usestatic route pointing to a next hop)

ORWhether the interface is up (if you use static routepointing to an interface).

If one of these is true, an attempt is made to add the route to therouting table; whether that succeeds depends on the administrativedistance of the route -- a lower administrative distance (the routeis "closer") than a preexisting route will cause the preexisting routeto be overwritten.

**************************************************************************

From: Question 33Date: 19 May 1995Subject: When is the next hop of a route considered ``reachable''?

When a static route is added, or during an important event (eg:interface up/down transition), the next hop for a route is looked upfrom the routing table (i.e. recursive routing).

As a consequence, if a route which is depended upon for evaluationof the next hop of a static route goes away, a mechanism is requiredto remove that (now-invalid) static route.

Scanning all static routes each time the routing table changes istoo expensive, so instead, a period timer is used. One a minute, staticroutes are added and removed from the routing table based on the routesthey depend upon.

It should be noted that a particular static route will be reevaluatedwhen its interface transitions up or down.

**************************************************************************

From: Question 35Date: 22 April 1996Subject: How do name and phone number of ``dialer map'' interfere?

How do name and phone number of `dialer map' interfere?

We use the telephone number first actually. If thecaller id matches the telephone number to call, then you don't need the'name' parameter with a phone number.

I realized that the above is ambiguous, so let's do this. You have:

dialer map ip x.x.x.x name <param1> <phone-num>

<param1> is used for incoming authentication. It can be either the hostname,for PAP and CHAP, or it can be a number as returned by caller id. If thisis not there, and it is an imcoming call, and there is caller id, we willcompare against <phone-num> to see if that matches.

Not sure I've been clear here.

**************************************************************************

From: Question 36Date: 22 April 1996Subject: What's the purpose of the network command?

>* what is the real purpose of the network subcommand of> router commands? When do I not want to include a network> I know about?

The real purpose of the 'network' sub-command of the router commands is toindicate what networks that this router is connected to are to beadvertised in the indicated routing protocol or protocol domain. Forexample, if OSPF and EIGRP are configured, some subnets may be advertisedin one and some in the other. The network command enables one to do this.

An example of such a case is a secure subnet. Imagine the case where a setof subnets are permitted to communicate within a campus, but one of thebuildings is intended to be inaccessible from the outside. By placing thesecure subnet in its own network number and not advertising the number, thesubnet is enabled to communicate with other subnets on the same router, butis unreachable from any other router, barring static routes. This can beextended by using a different routing protocol or routing protocol domainfor the secure network; subnets on the various routers within the securedomain are mutually reachable, and routes from the non-secure domain may beleaked into the secure domain, but the secure domain is invisible to theoutside world.

**************************************************************************

From: Question 37Date: 22 April 1996Subject: What is VLSM?

A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressingresources to subnets according to their individual need rather than somegeneral network-wide rule. Of the IP routing protocols supported by Cisco,OSPF, Dual IS-IS, BGP-4, and EIGRP support "classless" or VLSM routes.

Historically, EGP depended on the IP address class definitions, andactually exchanged network numbers (8, 16, or 24 bit fields) rather than IPaddresses (32 bit numbers); RIP and IGRP exchanged network and subnetnumbers in 32 bit fields, the distinction between network number, subnetnumber, and host number being a matter of convention and not exchanged inthe routing protocols. More recent protocols (see VLSM) carry either aprefix length (number of contiguous bits in the address) or subnet maskwith each address, indicating what portion of the 32 bit field is theaddress being routed on.

A simple example of a network using variable length subnet masks is foundin Cisco engineering. There are several switches in the engineeringbuildings, configured with FDDI and Ethernet interfaces and numbered inorder to support 62 hosts on each switched subnet; in actuality, perhaps15-30 hosts (printers, workstations, disk servers) are physically attachedto each. However, many engineers also have ISDN or Frame Relay links tohome, and a small subnet there. These home offices typically have a routeror two and an X terminal or workstation; they may have a PC or Macintosh aswell. As such, they are usually configured to support 6 hosts, and a feware configured for 14. The point to point links are generally unnumbered.

Using "one size fits all" addressing schemes, such as are found in RIP orIGRP, the home offices would have to be configured to support 62 hostseach; using numbers on the point to point links would further compound theaddress bloat.

One configures the router for Variable Length Subnet Masking by configuringthe router to use a protocol (such as OSPF or EIGRP) that supports this,and configuring the subnet masks of the various interfaces in the 'ipaddress' interface sub-command. To use supernets, one must furtherconfigure the use of 'ip classless' routes.

**************************************************************************

From: Question 38Date: 22 April 1996

Subject: What are some methods for conserving IP addresses for serial lines?

VLSM and unnumbered point to point interfaces are the obvious ways.

The 'ip unnumbered' subcommand indicates another interface or sub-interfacewhose address is used as the IP source address on messages that the routeroriginates on the unnumbered interface, such as telnet or routing messages.By doing this, the router is reachable for management purposes (via theaddress of the one numbered interface) but consumes no IP addresses at allfor its unnumbered links.

**************************************************************************************************************************************************************Start of rev 2.00 section! **************************************************************************************************************************************************************

**************************************************************************

From: Question 39Date: 02 February 2002Subject: Flash upgrade issues for Cisco 2500 series routersAnswer by: Terry Kennedy <terry@gate.tmk.com>

> When I remove the original flash and replace it with ether one or both of> the new flash chips, I get the following error on boot upand the router ends> up in boot mode.:> ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash

This has to be the most common FAQ for this group. You have non-Intelflash chips on your new SIMMs and boot ROMs that are too old to know aboutthe different access method for the flash chips you have.

You need to either get the (free, call TAC) BOOT-2500= ROM upgrade fromCisco, or exchange the flash SIMMs for ones using Intel chips. Note thatIntel no longer makes those chips, which is why everybody has this prob-lem.

**************************************************************************

From: Question 40Date: 02 February 2002Subject: How do I prevent my switch ports from going into ErrDisable state?Answer by: "bt" <@speakeasy.org> The 2 commands that are in the newer CatOS (5.4+) to automatically recover from errdisable are:

* set errdisable-timeout enable <reason>* set errdisable-timeout interval <seconds>

the <reason> can be 1) bpdu-guard, 2) channel-misconfig, 3) duplex-mismatch, 4) udld 5) other and 6) all.The <seconds> defaults to 300 seconds, you could make that more aggressive,

down to 30.

if you want, you can disable the errordetection as well:

* set errordetection portcounters disable

by default it's on for portcounters and disabled for memory and inbandmanagement.

But please keep in mind that you need to fix the problem. The ports are going into ErrDisable mode for a reason!

**************************************************************************

From: Question 41Date: 02 February 2002Subject: How do I configure a router to act as a Frame-Relay Switch?Answer by: From: "BM" <bmorgan@dont.spam.me.ieee.org>

config t1frame-relay switching!interface Serial0 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce ! In the config below, the 102 is the DLCI that will be ! presented to the router connected to this - S0 - ! interface. 201 is the DLCI that is mapped to S1 frame-relay route 102 interface Serial1 201 frame-relay route 103 interface Serial2 301

interface Serial1 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 201 interface Serial0 102 frame-relay route 203 interface Serial2 302

interface Serial2 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 301 interface Serial0 103 frame-relay route 302 interface Serial1 203

________ ______ | FR SW |_S2______S0_| R3 | |_______ | |______| S0 / \ S1 / \

/ \ S0 __/___ _\_S0__ | R1 | | R2 | |_____| |_______|

R1 S0, R2 S0 and R3 S0 will be on the same subnet. You can treat it as p2mp.I put all the DCE ends of the cables on the Frame Switch, so clock rate isdefined there. However, this is not a requirement. The FR Switch router does not need to have the DCE end. Regardless of the gender of the cable, however, the "frame-relay intf-type dce" is required. I defined the DLCIsas Source Router + 0 + Destination Router. So if the circuit goes from R1 to R3 it's DLCI 103. From R3 to R1 it's DLCI 301. You get the idea.

**************************************************************************

From: Question 42Date: 02 February 2002Subject: What are the different types of memory used by Cisco Routers?Answer by: Michael Shorts <mshorts@cisco.com>

The 2500 Series and 7204 VXR have the same types of memory, but they areimplemented in different physical packages:

ROMMON - This is the initial bootstrap for the router.

Boot Helper - This is a subset of IOS that is used to update software ornetwork boot. The 2500 implements the ROMMON and boot helper in a set of twoROMs. The 7204VXR has ROMMON in a ROM and boot helper in a piece of flashmemory on the I/O controller called boot flash.

Main memory - This is used to hold routing tables, and IOS variables. In the7204 VXR, IOS itself is also resident in main memory. The 2500 Seriesusually runs the IOS directly in flash.

Shared memory - This is the memory that holds packet buffers. On the 2500Series, this is part of the same physical memory as main memory. On the 7204VXR, it's separate memory.

Flash memory - This memory holds the IOS image. On the 2500 Series, thereare two flash SIMM sockets (max 16 MB). On the 7204VXR, there are PCMCIAslots on the I/O controller which can take a 128 MB flash disk.

Configuration memory (NVRAM) - This is the memory that holds the IOSconfiguration. In the 2500 Series, it's a 32 KB EEPROM. On the 7204VXR it is128 KB battery backed up SRAM on the I/O controller.

**************************************************************************

From: Question 43Date: 02 February 2002Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000?Answer by: "Alberto Colmenero" <san@mobilix.dk>

Doc CD Content appears garbled:The Doc CD content is compressed - it requires Verity to decompress it. Thisis why Verity is used on the Doc CD. What has happened is you've tried todirectly open up index.html off the CD into your browser, and this is notpossible todo. The CD must be accessed through the Verity Web Publisher

through:http://127.0.0.1:8080/home/home.htmThis is the startup address that is launched when you click on "Launch CD."

Windows 2000 and Doc CD:Pre-July 2000 Documentation CDs do not work on Windows 2000 out of the box.They will cause "Search.exe" to crash when run under Win2k.

There is a fix that sometimes works for these CDs at:http://www.cisco.com/warp/public/620/ioscd.html. This fix MUST be done BEFORE you install the CD. If theCD has already been installed, then uninstall it, delete c:\cisco,make this registry change, then re-install the Doc CD.(both the BrowserSoftware Installer and The Documentation CD(I have tried this on My labtop which is running windows 2000 and it workedfine but I had to delete c:\Cisco first and Lunch the Browers softwareInstaller CD (1) first then the Document CD(2) (my version of CD was Nov1999)

(I have already sent this one to you did you delete c:\Cisco and lunch bothCDs)

Other fixs are shown

The Doc CD starts up to about:blankThere are two alternate fixes for this:

1. After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htmfor the address, and then add it to your favorites.-or-2. This is a 4-step fix:A. Ensure that search.exe is not running.B. Edit the installed search.ini (c:\CISCO\search.ini).C. Change the line 'Browser=c:\program files\internet explorer\iexplore.exe'to 'Browser=msie'D. Launch the CD.

Nothing happens when I click Launch CDThe usual cause for this is that you've installed a post-July 2000Documentation CD over the top of a previous Doc CD.The fix for this is to:1. Uninstall the Doc CD from the control panel->add/remove programs.2. Delete c:\cisco3. Reinstall the Doc CD.

Finally to reorder a CDThe Cisco Documentation CD is also available online at:http://www.cisco.com/univercd/home/home.htm

**************************************************************************

From: Question 44Date: 02 February 2002Subject: How dow I load a large image on a 2500 *lab* router?

Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)

For production work (support by Cisco required) you need 16M Flashto run 12.0 or 12.1 Enterprise. If you don't need Cisco support, 12.0Enterprise is small enough (about 10M) to run from RAM (upgrading to16M of RAM is MUCH cheaper than upgrading to 16M of flash) using acompressed image in the 8M of flash you do have.

12.1 Enterprise is 14M so it must be run from flash (otherwise there isnot enough RAM remaining to even complete loading of the OS).

Check the release notes on www.cisco.com for the IOS release you want touse. If the actual size of the IOS plus the minimum recommended RAMtotals less than 16MB, you can run compressed or boot from TFTP withoutexpanding flash. Check deja-news on google if you are unclear on how torun a compressed image on the 2500, it is a frequent request andhopefully will turn up in the renovated FAQ when Hansang gets a chanceto publish it.

**************************************************************************

From: Question 45Date: 02 February 2002Subject: daisy-chaining reverse telnet console-aux portsAnswer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

> I've hooked 4 routers together in a lab and I'm daisy-chaining them> aux --> console and using reverse telnet to get to them...> > However when I get to the fourth router and do a CTRL-SHFT-6 X,> I get back to the first router. If I kill the AUX line, then initiate the> reverse telnet again, I fall through router 2 and 3 to 4 again...> Is there an easy way to fall back one router at a time?> or should I not bother to do this?

You have two options. One is to use a different escape character on the second (third, fourth etc) console (and/or vty)

conf t line con 0 /* or vyt 0 4 */ escape-character 23

This will let you use CTRL-W then X to break out reverse telnet.

Or

You can use CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the second session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the third session, etc.

**************************************************************************

From: Question 46Date: 02 February 2002Subject: What Windows chatter could bring up and ISDN line?Answer by: "Phillip Remaker" <remaker@cisco.com>

> ...we get multiple spurious dial-ups after every intended one.> The first unwanted one occurs about 20 minutes after the intended one,> and the subsequent unwanted ones about every 20 minutes after that.> All last exactly 200 seconds, which is the configured router hangup> time.> Does anyone have any idea what might be causing these?

Yep. See http://support.microsoft.com/support/kb/articles/Q135/3/60.asp for all of the periodic packet transmissions associated with Windows Networking.

Dialer access lists will not help you, since identifying information is toodeep inside the packet and therefor indistinguishable from real traffic 8-(.

**************************************************************************

From: Question 47Date: 02 February 2002Subject: How do I make NTP packets so it's only interesting on router bootup?Answer by: Paul J Murphy <paul@murph.org>

!access-list 101 permit udp any any eq ntp time-range sntp-dialaccess-list 101 deny udp any any eq ntpaccess-list 101 permit ip any anydialer-list 1 protocol ip list 101!time-range sntp-dial absolute end 00:00 01 January 2000!

The time there doesn't really matter as long as it is later than theepoch time for the device in question, and earlier than the currenttime. 01/01/2000 was just the arbitrary choice I made last time Iconfigured that.

With that config, NTP will bring up the line if and only if the clockon the Cisco has not already been set.

For an unattended installation which may not dial up very frequently,it may be worth using a time-range which allows dialling once per dayto keep the clock reasonably well synced. If your usage patternresults in the line coming up frequently, that is an unnecessarystep. Constructing an appropriate time-range statement is left as anexercise for the reader.

If it's a small single user LAN, it's considered polite to avoid thestratum-1 servers. Most ISPs should provide NTP servers for customeruse, eg try ntp.<isp>.net, timehost.<isp>.net, ntp0.<isp>.net,ntp1.<isp>.net, etc. Apart from not overloading valuable globalresources, using a NTP server local to your ISP will probably providea more stable time service due to lower latency between the client andserver.

See also http://www.get-time.org/ for the UK government NTP initiative(Greenwich Electronic Time).

**************************************************************************

From: Question 48Date: 02 February 2002Subject: How do I setup Lock & Key ACL? Or punch temporary holes in my ACL if someone authenticates to my router?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

username foobar password cisco!int s0 ip address 1.1.1.1 255.255.0.0 ip access-group 101 in! /* or port 22 for ssh */access-list 101 permit tcp any host 1.1.1.1 eq telnet access-list 101 dynamic foobar permit ip any any!line vty 0 2 login local autocommand access-enable host timeout 5line vty 3 4 login local rotary 1

The first access list allows telnet into the router. Your users willtelnet into router and authenticate with username foobar and password"cisco"

The router will then immediately disconnect the telnet session. When they successfully authenticate, an access list with their source IP will be added to the dynamic list. Basically, if they authenticate correctly, they can come in to the inside network. After 5 mins of inactivty the entry will be deleted from the access list.

The vty 3 and 4 are using the rotary command so that you can telnet to your router with the command: "telnet 1.1.1.1 3001" This takes you to vty 3 (or 4). This way, you can telnet into the router and actually manage it. A very subtle but VERY important point. If you forget this, you'll be making a trip to use the console port.

**************************************************************************

From: Question 49Date: 02 February 2002Subject: How do I telnet to a specific VTY line?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See "rotary" example in question 48.

**************************************************************************

From: Question 50Date: 02 February 2002Subject: Is there a better (free) tftp server than the one by Cisco?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

3CDv2r10.zip file located at:

http://support.3com.com/software/utilities_for_windows_32_bit.htm

**************************************************************************

From: Question 51Date: 02 February 2002Subject: How do I use the Cisco Documentation CD (UniverseCD) under Linux?Answer by: Vincent C Jones VCJones@NetworkingUnlimited.com

Another option is to suffer like us Linux users and forego theability to search the CD (but hey, for that you can go online). Thetechnique below works fine if your platform can run an Apache webserver. Note the update for more recent CD's which use bzip2 ratherthan gzip compression.

Using Apache/1.3.3, I use these configuration directives:

-----CUT HERE-----

Alias /cisco/ /cisco-cdrom-mount-point/

<Directory /cisco-cdrom-mount-point>Options IndexesAllowOverride Noneorder deny,allowdeny from allallow from localhost</Directory>

<Location /cisco/cc/>AddEncoding x-gzip htm pdf</Location>

-----CUT HERE-----

and then, you should be able to acces all compressed contents!Start with 'http://localhost/cisco/home/home.htm'.

All the trick is to make Apache tell netscape (or ie, or lynx)that contents must be gunziped (HTTP/1.1 Mime-Encoding header).

**************************************************************************---

Update added July 15, 2000 by Dr Vincent C Jones, PE:

Starting July 2000 or so, the encoding switched to bzip2. So changethe apache entries to "x-bzip" and add bzip entries if required to/opt/netscape/Netscape.ad as shown below

*encodingFilters: \ x-compress : : .Z : uncompress -c \n\ compress : : .Z : uncompress -c \n\ x-bzip : : .bz,.bz2 : bzip2 -cdq \n\ bzip : : .bz,.bz2 : bzip2 -cdq \n\ x-gzip : : .z,.gz : gzip -cdq \n\ gzip : : .z,.gz : gzip -cdq \n

=================================================================

Using Apache/1.3.3, I use these configuration directives:

-----CUT HERE-----

Alias /cisco/ /cisco-cdrom-mount-point/

<Directory /cisco-cdrom-mount-point>Options IndexesAllowOverride Noneorder deny,allowdeny from allallow from localhost</Directory>

<Location /cisco/cc/>AddEncoding x-gzip htm pdf</Location>

-----CUT HERE-----

and then, you should be able to acces all compressed contents!Start with 'http://localhost/cisco/home/home.htm'.

All the trick is to make Apache tell netscape (or ie, or lynx)that contents must be gunziped (HTTP/1.1 Mime-Encoding header).

**************************************************************************

Update added July 15, 2000 by Dr Vincent C Jones, PE:

Starting July 2000 or so, the encoding switched to bzip2. So changethe apache entries to "x-bzip" and add bzip entries if required to/opt/netscape/Netscape.ad as shown below.

*encodingFilters: \ x-compress : : .Z : uncompress -c \n\ compress : : .Z : uncompress -c \n\ x-bzip : : .bz,.bz2 : bzip2 -cdq \n\ bzip : : .bz,.bz2 : bzip2 -cdq \n\ x-gzip : : .z,.gz : gzip -cdq \n\ gzip : : .z,.gz : gzip -cdq \n

**************************************************************************

Update added June 10, 2001 by Dr Vincent C Jones, PE:

Newer versions of Netscape do not use a Netscape.ad file. Instead, thechanges can be made to ~/.Xdefaults. Note that these changes CANNOT beadded from Netscape using edit/preferences.

**************************************************************************

From: Question 52Date: 02 February 2002Subject: How do I NAT on a single Cisco 2503 Ethernet interfaceAnswer by: "Pawel Sikora" <psi@polbox.WYCIEP-TO.pl>

interface Loopback0 ip address 10.0.255.1 255.255.255.0 ip nat inside!interface Ethernet0 ip address 10.0.0.1 255.255.255.0 secondary ip address xxx.yyy.zzz.ttt 255.255.255.248 ip nat outside ip policy route-map LOOPNAT!ip nat inside source list 1 interface Ethernet0 overload!access-list 1 permit 10.0.0.0 0.255.255.255!route-map LOOPNAT permit 10 match ip address 1 set interface Loopback0!------------------------Note that Lo0 interface may have any ip address.

**************************************************************************

From: Question 53Date: 02 February 2002Subject: How do I hide a summarized OSPF router from one ABR to another?Answer by: Alex Bakhtin <bakhtin@amt.ru>

area 1 range x.x.x.x x.x.x.x not-advertise

**************************************************************************

From: Question 54Date: 02 February 2002Subject: What is the pinout for the Console port on a 2518?Answer by: Michael Shorts (mshorts@cisco.com)

The CISCO2518 has a console port on the hub card which is a different pinout than the standard Cisco console (the hub card is an OEM from another company)

The pinout is:

Management Console Pinout RJ-45 pin Description Direction DB-25 pin 1

TxD output 3 2 GND - 7 3 RTS output 5 4 CTS input 4 5 DTR output 6 6 DSR input 20 7 shield - - 8 RxD input 2

Note that the console port does not support RTS/CTS hardware flow control.

**************************************************************************

From: Question 55Date: 02 February 2002Subject: How do I find the "real" IOS name when the file is in DOS format?Answer by: Terry Kennedy <terry@gate.tmk.com>

Given:> -rw-rw-r-- 1 jomo sol3 8465736 May 30 08:49 aaa1324.bin> -rw-rw-r-- 1 jomo sol3 7891164 May 30 08:49 aaa1325.bin> -rw-rw-r-- 1 jomo sol3 7347200 May 30 10:46 aaa1326.bin

Try "strings aaa1234.bin". You should see something like:

Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.0(9), RELEASE SOFTWARE (fc1)

near the end, mixed in with all the other junk. If these are compressed(mz-style) images, you'll have to unzip them first. Ignore the warning thatsays something like:

(9:44) gate:/tmp# unzip c5300-j-mz.120-8.bin Archive: c5300-j-mz.120-8.binwarning [c5300-j-mz.120-8.bin]: 19376 extra bytes at beginning or within zipfile (attempting to process anyway) inflating: C5300-J-.BIN

and then grep the resulting file.

**************************************************************************

From: Question 56Date: 02 February 2002Subject: How do I setup Windows 2000 and IPSec to PIX FIrewallAnswer by: "Steven Griffin" <segjr@gte.net>

To describe how to use the Local Security Policy MMC in W2K would take along time. So, the config I will share with you is the 'dial-up' one Imentioned before. In this posting I will detail the bare minimum needed toget a W2K client working with a PIX firewall running v6.01 software. Forsimplicity I use a preshared key for authentication. Since I have to embedthis key into the script I use it makes the configuration open and thusvulnerable. However, you should be able to tweak the configuration from thisto meet your own security needs. The W2K IPSec client supports certificatesas well as preshared keys so a "secure" version of this config isattainable.

The configuration script I eked (it isn't beautiful code) out is actuallywritten in Perl. If you would like to re-write it in the old DOS batch fileformat, please do so. Otherwise, you should find a copy of Perl for NT/W2K.I use the version found at http://www.activestate.com. The Perl script Ishow here is documented as to what it does. The MS ipsecpol.exe programthat you have to use has it's own documentation which you should read. Forthe PIX I give you only the crypto, isakmp, and sysopt commands you need toissue to your PIX to make this config work. The config assumes that the PIXhas NAT enabled.

Ok, enough blabber, here it is... I hope it is helpful!

For the purposes of this 'demo' config. The PIX Firewall will have192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.Xnetwork. The inside router will be 10.0.0.1

Quick Network Schematic:

[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] --->[Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN(10.0.X.X)] --> [Inside Router (10.0.0.1)]

The PIX firewall commands needed are:

sysopt connection permit-ipsecsysopt connection permit-l2tpsysopt ipsec pl-compatible

crypto ipsec transform-set W2K esp-des esp-md5-hmaccrypto ipsec transform-set W2K mode transportcrypto dynamic-map W2KDynamic 11 set transform-set W2Kcrypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamiccrypto map W2K-Map interface outside

isakmp identity addressisakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0isakmp policy 11 authentication pre-shareisakmp policy 11 encryption desisakmp policy 11 hash md5isakmp policy 11 group 1isakmp policy 11 lifetime 28800isakmp enable outside

The Perl script I wrote is as follows. I execute this script everytime Iestablish a connection with my dial-up ISP. It then sets up the IPSec tunnelusing my current ISP assigned IP Address.

#begin listing

# IPSecInit.pl# Written by: Steven Griffin Jr.# Date: 6 June, 2001.

# Note: The basis of this code came from the PERL documentation site.# The original snippets came from the links below.# http://www.perldoc.com/perl5.6/lib/Net/hostent.html# http://www.perldoc.com/perl5.6/lib/Net/Ping.html# I should put this in POD format at somepoint but I am in a hurry rightnow.

use Net::hostent; use Socket;

#Two Variables: One for the local IP Address and one for the VPN Server #This script assumes that the VPN Server has a static IP

$localipaddress, $VPNHostIP='192.168.0.1';

#The following section of code discerns the IP address of host provided #in the command line arguements. The default is the localhost. #NOTE: The code section is smart and gives you a routable IP (if available)and not just 127.0.0.1 # This section is pretty much identical to the one found on the PERLdocumentation site. # I just added an assignment of the discerned ipaddress to the$localipaddress variable. # I also changed the @ARGV assignment to 'localhost' instead of'netscape.com'

@ARGV = ('localhost') unless @ARGV; for $host ( @ARGV ) { unless ($h = gethost($host)) { warn "$0: no such host: $host\n"; next; } printf "\n%s is %s%s\n", $host,

lc($h->name) eq lc($host) ? "" : "*really* ", $h->name; print "\taliases are ", join(", ", @{$h->aliases}), "\n" if @{$h->aliases}; if ( @{$h->addr_list} > 1 ) { my $i; for $addr ( @{$h->addr_list} ) { printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr); } } else { #my modification is on the next line. printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr); } if ($h = gethostbyaddr($h->addr)) {

if (lc($h->name) ne lc($host)) { printf "\tThat addr reverses to host %s!\n", $h->name; $host = $h->name; redo; } } }

#This next section is a very modified version of the Ping example on thePerl Documentation Website.

#Now that we know our IP address, we can setup the IPSec tunnel. #First we try and ping our VPN server. use Net::Ping; $p = Net::Ping->new("icmp"); print "\nCan I see my firewall? "; if ($p->ping($VPNHostIP) ) { print "Yes\nAttempting to initialize IPSec Connection";

#Now that we can see our server, lets stop and start the W2K IPSec PolicyAgent. #This deletes any 'dynamic' IPSec policies that may have been in effectbefore. print "\nResetting IPSec Policy Agent"; $cmdstring='Net Stop "IPSec Policy Agent"'; system($cmdstring); $cmdstring='Net Start "IPSec Policy Agent"'; system($cmdstring);

#Now we issue the ipsecpol command to setup the tunnel to our VPN Server. #The ipsecpol command line utility can be found on Microsoft's Website. # http://www.microsoft.com/downloads/release.asp?ReleaseID=29167 # or #http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5/EN-US/ipsecpol_setup.exe

#MS requires two ipsecpol commands be issued in order to setup a tunnel. #One for the inbound traffic and one for the outbound traffic. # For this Tunnel I used the following settings: # The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IPAddress. # The tunnel setting '-t' is either My IP Address or the VPN Server's IPAddress.

# The security method list '-s' is for DES-MD5-1 # The security negotiation setting '-n' is for ESP[DES,MD5] # We are using QuickMode key exchange '-1k' rekeys after 10 quick modes'10q' # We are using perfect forward secrecy '-1p' # For authentication we are using a preshared key '-a' # NOTE: the preshared key must be enclosed in double quotes # See the documentation of the utility for further details. print "\nSetup IPSec Tunnel";

#This sets-up the inbound leg of the tunnel. We are filtering all trafficinbound from 10.0.X.X to our IP address. #The critical part of this statement is that the -t arguement must containour local IP. $cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t'.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -aPRESHARE:"gobbeldygook"'; printf "\n%s",$cmdstring; system($cmdstring);

#This sets-up the outbound leg of the tunnel. We are filtering alltraffic outbound to 10.0.X.X from our IP address. #The critical part of this statement is that the -t arguement must containthe VPN Server's IP Address. $cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t'.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -aPRESHARE:"gobbeldygook"'; printf "\n%s\n",$cmdstring; system($cmdstring);

#Now that we have issued our commands. We should test the network and seeif we can see inside it. #The internal router is the easiest target. Here it is 10.0.0.1.

#We first do a ping just so that the IPSec tunnel with negotiate. W2K doesnot setup the tunnel # until you actually try and send traffic to a IPSec filtered IP address. #Now we do another ping and tell the user what happened. print "\nTrying to ping internal network: "; $p->ping("10.0.0.1"); if ($p->ping("10.0.0.1")) { print "Success\n"; sleep(1); } else { print "Failure\n"; sleep(1); } } else { # If we reach this point, we could not see our VPN Server's external IPaddress from our ISP. print "No\nTry redialing your ISP"; sleep(3); } $p->close(); #end listing

**************************************************************************

From: Question 57Date: 02 February 2002Subject: How do I use tftpdnld via Ethernet port on a 2600?Answer by: "Joel" <joelyung@yeah.net>

Press Ctrl+Break on the terminal keyboard within 60 seconds of the power-upto put the router into ROMMON.

rommon 1 > IP_ADDRESS=172.15.19.11rommon 2 > IP_SUBNET_MASK=255.255.255.0rommon 3 > DEFAULT_GATEWAY=172.16.19.1rommon 4 > TFTP_SERVER=172.15.20.10rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mzrommon 6 > tftpdnld

**************************************************************************

From: Question 58Date: 02 February 2002Subject: How do I setup MultiLinkPPP?Answer by: "Patrick M. Hausen" <hausen@nospam.de>

multilink PPP without virtual template

int Multilink1 description multilink bundle ip unnumbered Loopback0 ppp multilink multilink-group 1! int Ser0 description first T1 line encaps ppp ppp multi multilink-group 1! int Ser1 description second T1 line encaps ppp ppp multi multilink-group 1

Again, recent software necessary: at least 12.0T or 12.1or one of the ISP branches (12.0S).

**************************************************************************

From: Question 59Date: 02 February 2002Subject: How much memory is taken up by BGP routes?Answer by: "Laron Swapp" <laron.d.swapp@intel.com>

As a reference, please see the following fromhttp://www.cisco.com/warp/public/459/ I'd like to drill down another level to decide why each entry contains 240

bytes! Tech Tip: How Much Memory Does Each BGP Route Consume?

Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory inthe BGP table and another 240 bytes in the IP routing table. Each BGP pathtakes about 110 bytes.

**************************************************************************

From: Question 60Date: 02 February 2002Subject: What is the difference between a CiscoPro model and a regular one?Answer by: Michael Shorts <mshorts@cisco.com>

It depends on the model. With some models, it's just a different paintcolor. Other models have a special key that restricts the softwareimages that can be used (for those, there is a "cookie programming"utility to turn it into a "regular" unit).

**************************************************************************

From: Question 61Date: 02 February 2002Subject: How do I stop my router from looking for cisconet.cfg or network-config?Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)

Look up "service config" in the manual (available on www.cisco.com ifyou do not have a local copy). Turn it off using the command "no serviceconfig" in configuration mode.

**************************************************************************

From: Question 62Date: 02 February 2002Subject: How do I setup DHCP service on my router?Answer by: Dave Phelps <tippenring@nospam.bigfoot.com>

Here is my 1601 performing as a DHCP server config...The static pool is how I use DHCP to assign the same IP to the same PC each time, essentially a static IP address assignment. The only other requirement would be that on the interface DHCP requests will be received, if you have an inbound ACL, bootp must be permitted.

ip dhcp excluded-address 192.168.3.1 192.168.3.9!ip dhcp pool dhcp-pool network 192.168.3.0 255.255.255.0 default-router 192.168.3.1 netbios-node-type b-node dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee!ip dhcp pool static-pool host 192.168.3.2 255.255.255.0 client-identifier 0100.00c5.0cbd.7e client-name main_pc default-router 192.168.3.1 dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee

**************************************************************************

From: Question 63Date: 02 February 2002Subject: How do I configure a trasparent proxy redirecting on CISCO router?Answer by: alan@internal.wj.com (Alan Strassberg)

>It is possible to configure an trasparent proxy redirecting on CISCO router?>I would like to redirect all www requests from specific IP addresses to>other IP address and other port.

A route-map does the IP redirection nicely, I've used it forhttp and smtp. Not sure about switching ports simultaneouslywith the same route map, but you could fix this with 'ipfw'or similar on the host. Be sure you have 'ip route-cache policy'enabled to save CPU on the interface. WCCP is another option.

http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5

**************************************************************************

From: Question 64Date: 02 February 2002Subject: How do I use the PCMCIA slot in my 2500 router?Answer by: "Josh Duffek" <joshd@cisco.com>

That slot is not used anymore. It was used about four years ago to loadboot helper code or feature set upgrades.

**************************************************************************

From: Question 65Date: 02 February 2002Subject: What cable do I use on 1900 switch with a DB9 Console connector?Answer by: "aros.net" <nelson@aros.net>

Hi, Thanks for the help. Just so anyone searching the achieves will findthe answer, for an old catalyst 1900 switch a db9 female to db9 female nullmodem cable works great and solved my console connection problem.

For the search engines the terminal program was returning. ATQ0H0 andATQ0Z0 on a old cisco catalyst 1900 switch.

**************************************************************************

From: Question 40Date: 02 February 2002Subject: How do I use a route-map to limit redistribution in OSPF?Answer by: hbae_@_nyc.rr.com.REMOVE_ (Hansang Bae)

! /* match only 172.16.10.x and 172.16.11.0 subnets */

!access-list 1 permit 172.16.10.0 0.0.1.255!!! /* use access-list 1 to determine what gets matched */!route-map LoopbacksOnly permit 10 match ip address 1!!! /* redistribute connected networks, any and all subnets, */! /* and seed it as E2 type. Note that throughout your */! /* OSPF domain, your loopbacks will have a metric of 20 */! /* 20 is the default metric when you redistribute into */! /* OSPF. Except for BGP routes which get a metric of 1. */! /* Also use the route-map LoopbacksOnly to selectively */! /* redistribute only the ones we want to redistribute. */!router ospf 200 redistribute connected subnets metric-type E2 route-map LooopbacksOnly

**************************************************************************

From: Question 68Date: 02 February 2002Subject: How do I connect 675 DSL units back to back?Answer by: "Josh Duffek" <joshd@cisco.com>

Well I found out that you can hookup other DSL boxes back to back...here ispart of an email I found on it:

you need:'dsl equipment-type CO' on one side and'dsl equipment-type CPE' on the other

Here is a working example from the lab:

(The distance limitation should be the sameas the one found in the docs)

also, you can run 'debug dsl-phy' a newcommand to look at the trainup.

(CO side, an 828)

!interface ATM0 no ip address no atm ilmi-keepalive dsl equipment-type CO dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO!interface ATM0.1 point-to-point ip address 1.1.1.2 255.255.255.0 pvc 1/33 encapsulation aal5snap !

!

(CPE side, a SOHO78)

!interface ATM0 no ip address no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO!interface ATM0.1 point-to-point ip address 1.1.1.1 255.255.255.0 pvc 1/33 encapsulation aal5snap !

**************************************************************************

From: Question 68Date: 02 February 2002Subject: How do I format the PCMCIA card on a 3600?Answer by: "Brian" <nondogmatist@hotmail.com>

Thanks guys. The "erase slot0" turned the trick. I appreciate the help.

**************************************************************************

From: Question 69Date: 02 February 2002Subject: How do I read Token Ring Mac and RIF?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

> Of the following Token Ring Source MAC addresses, which one indicates to> receiving hosts that RIF is present.> A.0007.7816.fe58> B.1007.7816.fe54> C.7007.7816.fe54> D.8007.7816.fe58> E.3007.7816.fe54> > The correct answer is D and here is the explanation: "When a RIF is present,> the first bit of the source MAC addresse is set to 1. Therefore, any address> that begins with 8 through f denotes that a RIF will follow the source MAC> address."> > Here is my analysis:> 8:1000 9:1001 a:1010 b:1011 c:1100 d:1101 e:1110 f:1111> > Fine, we see that the first bit is set to 1 and a RIF will follows. My> confusion is this: Is 8007.7816.fe58 is actually a MAC address that is seen> on the other side? I thought we suppose to swap the MAC address if> configured with RSRB or SRT?

You swap the bits in the MAC because Ethernet is canonical and TR is non-canonical. There would be no translation in TR to TR. And by definition, if the otherside saw the item D as the address, it would have to be TR as there are no RIFs in Ethernet world.

> What kind of concept behind changing this first> bit of MAC address? Say like I have a MAC 2678 and I like to set the first> bit to 1, so it change to what, 8,9,a,b,c,d,e, or f? I know the few first> bits of MAC represent certain vendor identity, but by changing the first bit> in MAC, is it something kind of odd? What about ARP or RARP service to this> changing? and all and all. Help please.

In Etherenet, the 47th place bit (first one from the left if the MAC was written in binary) represents whether this is a Group or Individual mac address. All group addresses (including the broadcast) will have this set to a binary 1. The 46th place bit (second one from the left if the MAC was written in binary) represents the Globally Unique or Locally Assigned bit.

If you change your MAC, it should set the 46th bit. (of course many drivers do not do this these days).

The part that can get confusing is that Most Significant *BYTE* is transmitted first. But within that byte, the Least significant *BIT* is transmitted first. For those of you who dealt with ODI drivers in DOS days, whenever you loaded up the LSL.com, it said ....LSB Mode.... That signified that it was running in Least Significant Bit mode. Just a bit of trivia for you trivial buffs.

Here's a concrete example:

Let's say my MAC address on this machine is: 08-10-A4-C5-B3-4D

How would this get transmitted? Well, we know that 08 will go first (it's the most significant *byte*), then 10, then A4 etc. So when 08 gets transmitted, remember that it's the LSBit that hits the wire first... so

08 in binary is: 00001000So the transmission order is 0, 0, 0, 1, 0,0,0,0.

I'll skip the 10 since it's equally uninteresting. Moving on to A4

A4 in binary is: 10100100.So the transmission order is 0, 0, 1, 0,0,1,0,1

**************************************************************************

From: Question 70Date: 02 February 2002Subject: How are Ethernet MAC addresses transmitted?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See quesiton 69.

**************************************************************************

From: Question 71Date: 02 February 2002Subject: Why are the 46th and the 47th bit significant in Ethernet MAC address?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See quesiton 69.

**************************************************************************

From: Question 72Date: 02 February 2002Subject: Why can't I upload an IOS image on to my flash on my 2500 router?Answer by: Michael Shorts <mshorts@cisco.com>

> i took one from another 2500, same label E28F008SA and unfortunalely,> same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg> 0x2101

The flash in your system is not recognized by the boot ROM. You can upgrade your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible (Intel).

**************************************************************************

From: Question 73Date: 02 February 2002Subject: How do I configure my router so it becomes a DHCP CLIENT?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

If you have 12.1(2)T or better and you need: C800, C100x, C1400, C160x, C17x0, C25xx, C26xx, C36xx, C4x00, C64xx, C7x00, C8500, and C12000

UBR900, UBR7200

MC3810

The interface command is "ip address dhcp"

**************************************************************************

From: Question 74Date: 02 February 2002Subject: Does my Cisco terminal server send a BREAK signal on reboot?Answer by: Aaron@Cisco.COM (Aaron Leonard)

2611's or 2511's? The NM-A async modules do NOT exhibit the break-on-poweroffproblem. See http://www.conserver.com/consoles/breakinfo.htmlfor an independent report.

**************************************************************************

From: Question 75Date: 02 February 2002Subject: How do I access the Console port on an AccessPro (AP-EC) card?Answer by: levinm@iserv.net (Martin H. Levin)

I have had similar problems accessing the console on the AccessProcard. I read somewhere that the AccessPro has a problem with Windows,which during the boot probes the serial ports looking for the mouse.My answer to ths has been to put the card in an old 486 and use doswith an old terminal program to access the AP-EC card. It works! Ihave two AP-EC cards in the same machine, which I have initiallyconfigured using com ports 1 and 2 and switch the terminal programfrom com1 to com2 and back as I need to set up the two cards. Onceset up the console on each card can be reached through the aux port.

The problem with the Windows has been handy, since this setup doesn'tallow for entry into monitor when the password is lost (or you get abad secrets message). After much effort and reading the Windowsproblem message, I took the card out of the DOS machine, put it into aWindows machine and sure enough the damn thing went into monitor modeand I has able to recover/reset the password.

**************************************************************************

From: Question 76Date: 02 February 2002Subject: How do you setup a simple Priority Queuing?Answer by: Richard Gallagher <rgallagh@cisco.com>

I would take a look at priority queuing, see the link below:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/qos_c/qcprt2/qcdpq.htm

A simple config for your case would be:

priority-list 1 protocol ip high tcp telnetpriority-list 1 default medium

interface Ethernet1 ip address 10.1.1.1 255.0.0.0 no ip directed-broadcast priority-group 1

**************************************************************************

From: Question 77Date: 02 February 2002Subject: What are the pro's and con's of using two ISP/BGP providers?Answer by: vcjones@NetworkingUnlimited.com (Vincent C Jones)

>Why would you use BGP with 2 Internet T1 vs using equal cost>static routing? What's the pros and cons? Thank you.

This question (or variations on it) get hashed out fairly routinely onthis newsgroup, hopefully Hansang will be able to include a briefdiscussion in the FAQ even though it is not a Cisco specific problem.

The answer in a nutshell is: It depends.

If each T1 goes to a different ISP, then you must use BGP to have thesame public address regardless of route taken.

If each T1 goes to the same ISP and load sharing and ease ofsetup/management is more important than availability, then go withstatic routes.

If the T1 links do not support end-to-end keepalives, go with BGP toavoid black holes.

If the T1 links go to different POPs of the same ISP, use BGP andindicator routes to detect ISP segmentation.

If the T1 links go to geographically diverse POPs, then BGP with full orlocal routes may improve routing efficiency.

For more detail, see the blurb I wrote for O'Reilly on the topic athttp://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html(for those reading this out of the archives at a future date, amore detailed version of this paper will be appearing as a WhitePaper on my web site, but it will not be there until late Summer).Chapter 8 of my book walks you through all the alternatives fromtwo T1s between a single router at your site and a single routerat the ISP, to two T1's between separate routers at your site totwo different ISPs. For how to get the most out of BGP, includingload sharing and efficiency considerations (my book only considersavailability), read Halabi's book.

If none of the above makes sense to you, hire a competent consultantto walk you through the alternatives and their tradeoffs.

Note to Hansang: Feel free to extract/reuse whatever you need fromthe O'Reilly blurb mentioned above, I own the copyright and will beglad to give "reprint permission" to the FAQ as long as NetworkingUnlimited gets proper credit.

***** The O'Reilly article follows: *****

by Vincent Jones 05/11/2001 Many organizations depend upon Internet connectivity to support critical applications. One popular approach for improving Internet connectivity is to connect to more than one Internet service provider (ISP), a technique called multi-homing.

Multi-homing can be very effective for ensuring continuous connectivity -- eliminating the ISP as a single point of failure -- and it can be cost effective as well. However, your multi-homing strategy must be carefully planned to ensure that you actually improve connectivity for your company, not degrade it.

THE CONCEPT OF PHYSICAL DIVERSITYFirst, I want to discuss the network components that can affect overall connectivity. Because most network failures are due to problems in the WAN links, it does little good to connect to a second ISP if both ISP links are carried over the same communications circuit. Even if independent circuits are used -- if they are not physically diverse they will still be subject to common failure events such as construction work inside your building or digging in the street outside.

Providing complete physical diversity can be difficult and expensive, but the requirement is not limited to ISP connections. All critical network links for internal communications should also be diversified. Assuming an otherwise well-designed internal network, the easiest way to achieve physical diversity in your ISP connections is to connect from two different locations that are already well-connected to each other. But they must be far enough apart that they don't share any common communications facilities to either ISP.

REDIRECTING TRAFFIC USING THE BORDER GATEWAY PROTOCOLOnce physical connectivity is in place, you need to make it useful. Taking advantage of redundant links requires two conditions to always be present. First, you must be able to detect when a link has failed. Second, you must have a mechanism for redirecting traffic that would normally flow across a failed link to take a different path that is still functional. In a multi-homing environment, both tasks are normally achieved by running Border Gateway Protocol (BGP) between your routers and those of the ISPs.

BGP is often assumed to mean complex configurations on expensive, high-end routers to handle the huge routing tables required to fully describe the Internet. However, depending upon the specific application requirements and the degree of load-balancing you want across all available links, it may be practical to implement multi-homing using the smallest routers you have available that are capable of handling the traffic load.

In other words, implementing multi-homing doesn't have to be an all-or-nothing choice. There are choices you can make along the way based upon the equipment you have available and the level of connectivity you need to provide.

DETERMINING LEVEL OF CONNECTIVITY REQUIREDAt one extreme, when your goal is to simply to provide internal users with access to the Internet, you don't need to run BGP at all. As long as the link layer protocol supports the exchange of keep-alive messages from router to router, link failure will be detected by the link layer protocol. Floating static routes can then reliably direct all outbound traffic to a working ISP link.

Network Address Translation (NAT) is then used to send outbound packets with a source IP address associated by the ISP with that outbound link. Return traffic will automatically come back via the same working link because that link is the only link servicing that address range.

Of course this approach will not work if you are providing services to the outside world, as the addresses associated with the failed link will disappear. Similarly, connections that were established over the link that failed will need to be reconnected. However, for many applications this impact is minor.

For example, a typical web surfer would merely need to hit the "page refresh" button. This approach is also sufficient to provide high-availability virtual private networks (VPN) across the Internet if you use a routing protocol such as OSPF to detect and route around failed IPSec tunnels.

The other extreme would be when you need to support a common IP address range using both ISPs. Then you need to run BGP. This will normally be the case any time your applications include providing services to Internet users, such as access to a common database. You will need to arrange for both ISPs to accept your BGP advertisements of your IP address prefixes. Then your ISPs need to advertise those address prefixes to the rest of the Internet.

Getting your address prefixes advertised is usually not a problem. You do, however, have to use care in your configuration to ensure that you do not inadvertently advertise any other address prefixes. In particular, you must ensure that you do not advertise yourself as a path between the two ISPs. This could cause your links to be consumed by transit traffic of no interest to you. More challenging is setting up your advertisements so that incoming traffic is reasonably balanced between the ISP links. Achieving that can be difficult at best, and nearly impossible at worse.

CHOOSE THE RIGHT ROUTE FOR YOUThe final decision is determining which routes to accept from each ISP. This can range from merely accepting a default route (used to detect if the link is up or down) to accepting all routes (so called "running defaultless"). The former is usually insufficient, because it does not protect you from an ISP which has an internal failure cutting them off from the rest of the Internet. The latter requires using "carrier-class" routers with lots of memory installed (and therefore more expensive). Fortunately, there are some "in-between" choices.

Rather than using a simple default route, you can use a conditional default route to protect against ISP failure behind the ISP's router that serves you. A conditional default route is a default route that is defined by a router only if a specific address is already in that router's routing table. Each ISP is only used for a default route if it is advertising one or more routes that indicate it is receiving advertisements from the rest of the Internet. That way, you will always use a default route which promises to be useful.

Another option is to have the ISP send you just its local routes. That way, you can optimize your outbound routing to avoid sending packets that could be locally delivered to the wrong ISP, adding to delivery delays. Care must be taken when using this option, however, because some ISPs have so many local routes that there is no cost benefit in the size of the routers required to handle them compared to running defaultless.

Options can also be combined. In many cases, taking local routes and a conditional default route will provide all the availability benefits of running defaultless, while still allowing the use of low-cost routers. As is always the case in networking, a good understanding of the requirements and the available capabilities is essential to maximizing cost-effectiveness.

**************************************************************************

From: Question 78Date: 02 February 2002Subject: How do I tell the difference between the differen 2900 XL switches?Answer by: Terry Kennedy <terry@gate.tmk.com>

> There are two versions of the Catalyst 2900 switch - the> 2900 XL and the 2900 M XL. The 'M' model has two

> spots above the ethernet ports for the GBIC modules> to slide into. The 'M' is about twice the height of the> non-M switch.

And it's even more confusing than that. Older 2900XL M-series had 16ports and less memory and can't run current software, so it is likelythat the Gigabit Ethernet modules wouldn't work in those units.

A handy way to tell if a 2900XL can run current software is to lookat the port numbers next to the LED's on the base unit. If the numbersare yellow, it can run current software. If they're white or just etchedin the plastic without any color, the switch is stuck running the oldersoftware. Note that you have to look at the ports on the base unit - itis possible to have a V-series expansion module with yellow numbers in-stalled in an older M-series switch.

**************************************************************************

From: Question 79Date: 02 February 2002Subject: How do I suppress the transmission of PPP frames from when dialing in?Answer by: Aaron@Cisco.COM (Aaron Leonard)

As far as suppressing the transmission of PPP frames fromthe 3640 side ... you can do it this way:

interface group-async1 ! or whatever interface you're using ppp direction callin ! hidden command ppp lcp delay 60 ppp lcp fast-start

This will cause PPP to refrain from sending frames for 60safter the interface comes up ... then when it receives aframe from the peer, it will start LCP.

**************************************************************************

From: Question 80Date: 02 February 2002Subject: What kind of memory can I use to upgrade my 2500 series router?Answer by: Terry Kennedy <terry@gate.tmk.com>

The RAM is standard 72-pin parity 70ns FPM w/ tin leads, while theflash is the generic Cisco flash. If you have older boot ROMs, you'll wantto make sure you get Intel chips or the ROMs won't recognize them. Or youcould upgrade the ROMs - Cisco part number BOOT-2500=, allegedly free.

> Any suggestions for a decent memory supplier for this?

I used to use Kingston when I had 25xx's. But MemoryX seems to be lessexpensive these days: (http://www.memoryx.net/routers.html)

**************************************************************************

From: Question 80

Date: 02 February 2002Subject: Where can I get mzmaker to compress my IOS?Answer by: "MikeN" <miken@mail.ikano.com>

http://www.mcseco-op.com/mzmaker.htm

**************************************************************************

From: Question 81Date: 02 February 2002Subject: What is the meaning of in/out in reference to an access-list?Answer by: rodd@panix.com (Rod Dorman)

>Can anyone point me to a good description of the difference between "in" >and "out" in applying an access list to an interface? Even the good >books seem to only devote a sentence to the difference between them.

The simplest explanition I've seen is: Crawl into your router and looktowards the interface. If the packets are going away from you they'reoutbound. If they're hitting you in the forehead their inbound.

**************************************************************************

From: Question 82Date: 02 February 2002Subject: How do I remove the /32 - host - route when a PPP link comes up?Answer by: Richard Gallagher <rgallagh@cisco.com>

To get rid of this host route, try the following command on both ends of thelink:

no peer neighbor-route

**************************************************************************

From: Question 83Date: 02 February 2002Subject: How do I forward DHCP broadcasts to my DHCP server?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

> We are a Canadian company with an American office. We have a Cisco router> at each office connected via a T1 line. We have a DHCP server at our> Canadian office, and we would like it to also delgate IPs to our american> office. Is this possible? If so, what must be done?

You have some choices.

1) Run DHCP on the remote router. This will prevent the dhcp requests from coming across the WAN. The downside is that only certain IOSes support running dhcp and is a bit more work for the router.

2) You can enable bootp forwarding or dhcp relaying. This can be accomplished by using "ip helper-address DHCP_SERVER_IP_HERE" interface command. But using helper-address turns on a lot of unnecessary UDP forwarding so you need to lock it down first.

So:

conf t no ip forward-protocol udp tftp no ip forward-protocol udp dns no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ip forward-protocol udp bootpc!interface ethernet0/0 ip helper-address YOUR_REMOTE_DHCP_SERVER_IP_HERE

**************************************************************************

From: Question 84Date: 02 February 2002Subject: How do I use the ip-helper command to facilitate DHCP use?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

See Question 83 (answer #2)

**************************************************************************

From: Question 84Date: 02 February 2002Subject: How do I send L2 traffic through a tunnel?Answer by: mortimer_mouse@mailandnews.com (Mortimer Mouse)

> Thanks for answering my post, the current problem I have is I need to send> Layer2 type traffic through a tunnel ... is this possible ?

Sure. See...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c/icdlogin.htm#xtocid292793

> I enabled bridging on both routers and created a bridge group and that> seems to work fine I can see my netbeui traffic passing ....> The problem is I have to be able to encapsulate netbeui or any other Layer2> type protocol and encapsulate within a IP packet.

The usual way to do this is using a GRE tunnel between two routers,and configuring an additional loopback interface on each router as thesource interface for the tunnel traffic, as below. Here, each routerhas a bridge group defined which allows certain traffic only as statedin the 200-series ACL onto the loopback interface. In this case it'sLAT only - you will need to check the LSAP protocol number(s) for

netbios/netbeui as I can't remember these off-hand. Once the trafficis forwarded from the LAN interface onto the loopback, it isencapsulated into IP GRE and forwarded to the far router.

-------------------------- / \ Tunnel0| |Tunnel0 | |LAN--------Router A-------WAN Cloud-------Router B--------LAN Eth0 Ser0 Ser0 Eth0

Router A--------

int e0 ip address 192.168.100.254 255.255.255.0 bridge-group 1

int loop0 no ip address bridge-group 1 bridge-group 1 output-type-list 200

int tunnel 0 tunnel source interface loopback0 tunnel destination 192.168.200.254

access-list 200 permit 0x6000 0x600f

Router B--------

int e0 ip address 192.168.200.254 255.255.255.0 bridge-group 1

int loop0 no ip address bridge-group 1 bridge-group 1 output-type-list 200

int tunnel0 tunnel source interface loopback0 tunnel destination 192.168.100.254

access-list 200 permit 0x6000 0x600f

**************************************************************************

From: Question 86Date: 02 February 2002Subject: How do I sort my IP Addresses using Unix tools?Answer by: Paul Koch <paul.koch@statscout.com>

> The subject says it all. Am looking for an Excel 2000, or less, macro to

> sort IP addresses. The problem is Excel sort doesn't "understand" > 192.028..005.001 vs. 192.28.5.1.

Do you have to use Excel. Yuck!A random thought. If your data could have the address also in hex or decimalin another column, then a sort would be simple.

Simple under Unix :-)

cat datafile | sort -t "." -n +0 +1 +2 +3

or even just

cat datafile | sort -t "." -n

**************************************************************************

From: Question 87Date: 02 February 2002Subject: Why is measuring collisions meaningless endeavour?Answer by: rich@richseifert.com (Rich Seifert)

> A more useful calculation would be to multiply collisions by> 704 and then divide that by 10000000 * t, to show the total overhead > percentage used by collision detection. 704 is the number of > bit-times consumed by a collision - 96 bittimes of interframe gap, > 512 bits of collision, an additional 96 bittimes of interframe gap, > next packet is ready to transmit.

First of all, you shouldn't count the interframe gap twice. The collisionevent uses an interframe gap, but the next one actually belongs to the nextframe; it would be there whether or not a collision occured.

More important, 511 bit times is the MAXIMUM time consumed by a collisionin the absolute worst-case. This requires a network with maximumextent--longest possible cables, maximum repeaters, etc.--and devices withabsolute worst-case timing parameters. In most small networks (e.g., asingle 10BASE-T hub), nearly all collisions occur during the preamble, andthe time consumed by the collision is just 96+64+32=192 bit-times(IFG+Preamble+Jam).

Unless you know the precise instant in which each collision occurs, youcannot calculate the bandwidth "lost" to collisions.

(By the way, the maximum collision fragment is 511 bits, not 512--at 512bits, it becomes a valid frame.)

In addition, while some Ethernet controllers do return a collision count aspart of the transmit status for each frame, many do not provide theSNMP/RMON driver with the exact number of collisions. Instead, the statusindicates one of:

* OK (no deferral required, no collisions encountered)* Deferred (deferral required, but no collisions encountered)* 1 collision (one collision encountered, with or without deferral)* >1 collision (more than one collision encountered, with or without deferral)* Excessive collisions (16 collisions encountered)* Late collision (collision encountered after 511 bits transmitted)

With this type of controller, you cannot distinguish a frame thatencountered two collisions from one that encountered fifteen. so it is hardto estimate the bandwidth "lost" due to collisions.

Finally, I will reiterate my position that collision rates are a virtuallyuseless metric for determining network performance. (See my earlier post onthis subject.)Seifert's Law of Networking #21: Measurements of unimportant parameters aremeaningless.

-- Note added by Hansang Bae --In the WORST case scenario (i.e. the stations are at the maximum distance apart) a collision will take up to 84 byte-times to resolve itself. 64 bytes (minimum Ethernet size+FCS), 8 bytes for the preamble, and 12 bytes for the IFG.

84bytes is 672bits. It takes .1 microsecond to transmit one bit (10Mb/s =10,000,000bits/sec = 10,000bits/millisecond =10bits/microsecond = 1 bit/0.1microsecond) So the total time spent on one collision event is 67.2 microsecond (672bits * .1 microsecond) Now consider getting 100 collisions per second. So 100 X 67.2microsecond is 6,720 microsecond or 6.72 millisecond. 6.72ms/1sec comes out to .672% (6.72ms/1sec =.00672, in percentage, that's .672%) That means that 99.328% of the channel is still available for data.

Here's another way to look at it. For every successful transmission, there was an equal number of collisions. This is 1:1 ratio or 100% collision rate. Or equivalently, 50% of the frames that goes out the NIC are collisions.

Assume that we are talking about an FTP transfer. Typically, FTP will use the 1518 max size and there will be an ACK (Acknowledgement) for every two packets. So you would see two 1518 frames and one ACK for both. So in a collision free world, we would see 2 frames of 1518 bytes and one ACK of 64 bytes. Throw in the preamble/SFD and the IFG to the mix and you get 2*(1518 + 8Preamble + 12 IFG) + 1*(64) = 3,140 bytes.

Now if we have 3 collisions (one collision for each successful frame) then you have to add another 3*84 (three frames taking up 84byte times -see #5 above). This comes out to 3,144 + (3*84) = 3,396. So the ratio is 3,140/3,396 = .9246 or 92.46%.

That means even with 100% collision rate, we only lose about 7.53% of the bandwidth. Hardly anything to worry about! In the real world, you can expect 33% collision rate for an FTP session. Also for smaller sizeframes, the % of wasted bandwidth would be much greater. But then again, only large transfers tax Ethernet networks.

**************************************************************************

From: Question 88Date: 02 February 2002Subject: How do I stop password-recovery on my routers?Answer by: Michael Shorts <mshorts@cisco.com>

"Password-recovery" might not be the best description. The feature locks out

all access to the ROMMON.

You can do this on a 2600/3600 with the global configuration command "noservice password-recovery".

The feature is indeed tied to the ROMMON. You must have a minimum ROMMON version 11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T. All ROMMON versions on the 2600 support this feature.

**************************************************************************

From: Question 89Date: 02 February 2002Subject: How can I prevent SYN-Flood attack using CAR?Answer by: "John Kaberna" <jkaberna@netcginc.com>

We are talking about all different kinds of floods (ICMP, SYN, UDP, etc)throughout this post. Actually he did say that Sprint can filter on theirend. I included in a different post the link to configure CAR to limit SYNattacks using web traffic as an example. Your solution looks like it wouldwork too as their are multiple ways to configure traffic shaping.

Configure rate limiting for SYN packets.Refer to the following example:

interface {int} rate-limit output access-group 153 45000000 100000 100000 conform-actiontransmit exceed-action drop rate-limit output access-group 152 1000000 100000 100000 conform-actiontransmit exceed-action drop

access-list 152 permit tcp any host eq wwwaccess-list 153 permit tcp any host eq www established

In the above example, replace:

45000000 with the maximum link bandwidth1000000 with a value that is between 50% and 30% of the SYN flood rate burstnormal and burst max rates with accurate valuesNote that if you set the burst rate greater than 30%, many legitimate SYNsmay be dropped. To get an idea of where to set the burst rate, use the showinterfaces rate-limit command to display the conformed and exceeded ratesfor the interface. Your objective is to rate-limit the SYNs as little asnecessary to get things working again.

WARNING: It is recommended that you first measure amount of SYN packetsduring normal state (before attacks occur) and use those values to limit.Review the numbers carefully before deploying this measure.

If an SYN attack is aimed against a particular host, consider installing anIP filtering package on that host. One such package is IP Filter. This canbe found on http://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examplesfor implementation details.

**************************************************************************

From: Question 89Date: 02 February 2002Subject: How do I setup a Multilink PPP?Answer by: domesjoe@ljusdal.net

You have to create a virtual-template interface with ip address informationPPP then create an virtual-access interface whith that address

!multilink virtual-template 1! interface Virtual-Template1 ip unnumbered Loopback0 or ip address no ip mroute-cache ppp multilink ! interface Serial0 no ip address encapsulation ppp no fair-queue ppp multilink ! interface Serial1 no ip address encapsulation ppp no fair-queue ppp multilink

**************************************************************************

From: Question 90Date: 02 February 2002Subject: How do I setup ppp callback with dialer-pool?Answer by: news@tvolk.de (Thomas Volk)

This is a real hard stuff to do ppp callback with dialer-pool, there asome command are missing in your config, look at my example....(also see: www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm)

!username router1 callback-dialstring 749410 password 0 ect!interface BRI0/0 no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp callback accept ppp authentication chap!interface BRI0/1 no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3

ppp callback accept ppp authentication chap!interface Dialer1 ip unnumbered FastEthernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name router1 dialer pool 1 dialer enable-timeout 2 dialer string 749410 class test1 dialer-group 1 ppp authentication chap!!map-class dialer test1 dialer callback-server usernamedialer-list 1 protocol ip permit

**************************************************************************

From: Question 91Date: 02 February 2002Subject: My configs are too large. What can I do?Answer by: Michael Shorts <mshorts@cisco.com>

The IOS configuration in the 2600 Series is stored in a 32 KB EEPROM. TheROMMON reserves 3 KB, leaving 29 KB for the IOS.

You can use the "service compress-config" command to compress the configurationin the EEPROM. You can also load the configuration file from a TFTP server.

**************************************************************************

From: Question 92Date: 02 February 2002Subject: What does Frame-relay LMI and Encapsulation really do/mean?Answer by: John Agosta <jagosta@interaccess.com>

I think there is some confusion here about frame relay "encapsulation"and frame relay "lmi" (heartbeat/keepalives).

Frame relay encapsulation is indeed significant end-to-end through the"cloud" between communicating DTE (router) equipment.

Cisco encapsulation inserts an ethernet "type field" immediately after the 2byte frame header which contains the DLCI, FECN, BECN, and DE fields.

IETF (RFC 1490) encapsulation does not use ethernet type fields to identifythe payload of the frame. Instead, IETF calls for the use of NLPID codes(Network Layer Protocol Identifiers) which are common in the OSI environment.

NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP)The NLPID (CC, in the case of IP) will follow an Unnumbered Information UIcontrol field, 03.

If the payload does not have an NLPID assigned to it, (like IPX) then IETFsuggests that an OUI field (organizationally unique identifier) followed by anethernet type code (8137 for example, if IPX) will be used. Much like an 802.3 frame with SNAP, the type code of 8137 will be offset further into the frame, and not found immediately after the 2 byte frame header.

This encapsulation must be understood by the communicating routers at eitheredge of the 'cloud.' The cloud itself does not care what type of "encapsulation" is being used. It is strictly a DTE-DTE issue.

LMI is a link intergrity and PVC status verification protocol that IS locallysignificant between the router and the network interface. This protocol comes in 3 flavors: the 'original' Stratacom' (aka cisco) version, ANSI's T1.617 Annex D, and CCITT/ITU Q.933 Annex A. These protocols are often collectively referred to as "LMI." It is possible to run one version of LMI on the East User-Network Interface (UNI) and another version on the West UNI, as these protocols simply identify the status of the UNI link and the PVCs found on that link.

Encapsulation, however, must match between the DTEs.

It is interesting to note, however, that Cisco routers are smart enough tointerpret the 'encapsulation' type being used on incoming frames.If both DTEs are Cisco routers, one router 'can' use Cisco encapsulationwhile the other router uses "IETF." The ability to communicate with Ciscorouters using different encapsulation schemes gives the "appearance" that theencapsulation is locally significant. In fact, this (cisco) ability to communicate is made possible by the smarts cisco builds into its implementation.

When any other vendor's DTE is involved, communications will fail if the"encapsulation" on both DTEs is not identical. Even if one of the routers is a cisco.

(Unless, of course, the other vendor saw fit to build in the smarts that cisco has done. But I am not aware of any vendor that has this capability other than cisco....)

Hex protocol traces are available if any one would like to see.....Hope this sheds some light.....

**************************************************************************

From: Question 93Date: 02 February 2002Subject: How do I make a T1 Cross-over cable?Answer by: Aaron@Cisco.COM (Aaron Leonard)

For *T1* I've used the following pinouts forcrossovers:

T1/E1 crossover (for PRI and CAS back-to-back connection):

RJ-45 ----- RJ-45 1 ----- 4 2 ----- 5 4 ----- 1 5 ----- 2

RJ-45 ----- DB-15 1 ----- 1 2 ----- 9 4 ----- 3 5 ----- 11

DB-15 ----- DB-15 1 ----- 3 3 ----- 1 9 ----- 11 11 ----- 9

For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the sameas for T1, except that I guess you need to have pins 3 and 6(shield/ground) connected.

I don't suppose I should be pointing people to Juniper's website, but anyway ... http://www.juniper.net/techpubs/hardware/m160/m160-picinstall/html/pinout5.html

**************************************************************************

From: Question 94Date: 02 February 2002Subject: Can I use a router to simulate BRI switch?Answer by: Aaron@Cisco.COM (Aaron Leonard)

In current IOS (12.1(3)T and above, I think), you can configure PRIs back-to-back between routers: configure one side to be network side (isdn protocol-emulate network) and the other to be user side (default; isdn protocol-emulate user). The supported switchtypes are primary-net5 and primary-ni.

As the original posting had alluded, we have SOME supportfor network-side BRI - but this is only on certain VICcards due to hardware restrictions - http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft /121limit/121x/121xi/121xi_3/dt_brint.htm

**************************************************************************

From: Question 95Date: 02 February 2002Subject: How do I use Policy Based Routing?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Keep in mind that Policy routing works on the INBOUND interface. If you think about it, it makes sense. The decision to hand off the packet has to be madeas it's coming into the router and not on the egress interface.

!Determine who's eligible to be policy routed!

access-list 1 permit 10.1.1.0 0.0.0.255!!Figure out where you want to send the pkts based on the source IP!route-map RouteMeBaby permit 10 !To whom shoud this policy apply to? match ip address 1 ! !Where should you redirect it to? Should use both. If one is !omitted, the value will be retrived from the routing table - !which may or may not be what you wanted ! set ip next-hop ROUTER_2's_SERIAL_IP set interface s0!interface E0 ip addr blah blah blah ip policy route-map RouteMeBaby ! If your IOS supports it, enable fast switching for PBR ip route-cache policy

*IF* fast switching is supported (may be 11.3 an up or it could be 12.0 and up... do a

sho ip cache policy

if not, do a

sho ip policy

**************************************************************************

From: Question 96Date: 02 February 2002Subject: How do I setup a VPN tunnel using pre-shared keys?Answer by: "Ian M" <ian.mulvihill.no.spam@computer.org>

Dror-John is right. There is a LOT to know about when you get intoencryption, and like any other branch of this industry knowing the hows &whys will help your configs and troubleshooting enormously.

The CCO IPSec Product Support page has a wealth of useful info and examples.www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?p=Internetworking:IPSec

RFCs 2401-2412 are not too taxing either. I've added below a very basicexample using pre-shared keys, DES encryption and SHA-1 hashing algorithm.Site 1 is 10.0.1.0/24, site 2 10.0.2.0/24 and the serial i/fs 10.0.4.0/30 (&assumes you have sub-i/fs). Names and things in capitals.

Router1(config)#!crypto isakmp policy 1! Define your ISAKMP policy settings group 2

! 'group' defines the modulus for Diffie-Hellman calculation.! Default is group 1, less CPU work, but less secure. authentication pre-sharecrypto isakmp key SHARED_KEY_HERE address 10.0.4.2! Your shared key, and what peer i/f it's used for.!crypto ipsec transform-set TS1 ah-sha-hmac esp-des! Define what happens to the traffic. AH & ESP are two IPSec protocols.!crypto map TO_SITE_2 10 ipsec-isakmp! Define crypto-map set peer 10.0.4.2! The other side set transform-set TS1! Which transform-set to use match address 150! What traffic to include!interface Serial1/0.0 ip address 10.0.4.1 255.255.255.252 crypto map TO_SITE_2! Apply the crypto-map to the i/f!access-list 150 permit ip 10.0.1.0 0.0.0.255 any! Include traffic coming from here. I've said anything going out, for! there may be places beyond Site 2, but Cisco says this can cause! problems for multicast traffic. This also assumes no traffic will be! going to Site 2 from somewhere else _through_ Site 1. Perhaps! best to err on the more specific side. However it is a good idea! to not include your serial i/fs, so you can still get at the far router! if there's a problem.

Router2(config)#!crypto isakmp policy 1 group 2 authentication pre-sharecrypto isakmp key SHARED_KEY_HERE address 10.0.4.1!crypto ipsec transform-set TS1 ah-sha-hmac esp-des!crypto map TO_SITE_1 10 ipsec-isakmp set peer 10.0.4.1 set transform-set TS1match address 150!interface Serial1/0.0 ip address 10.0.4.2 255.255.255.252 crypto map TO_SITE_1!access-list 150 permit ip 10.0.2.0 0.0.0.255 any

**************************************************************************

From: Question 97Date: 02 February 2002Subject: Why does one packet always get dropped on the last hop of traceroute?Answer by: Aaron@Cisco.COM (Aaron Leonard)

And the winner is ... Max. Inspired by (I think) sec. 4.3.2.8 inRFC-1812, we rate-limit our ICMP message generation to 1/sec/destination.This can be adjusted by the "ip icmp rate-limit unreachable" command.

More interesting than simply causing an oddity for traceroute,ICMP rate-limiting can cause intermittent PMTUD blackholes(or I should say perhaps "PMTUD brownholes".) If you're doingPMTUD (as alas anyone running Windows defaults to), then youmight want to ease the rate limit on DF unreachables.

**************************************************************************

From: Question 98Date: 02 February 2002Subject: How to setup NATing based on outgoing interface to two different ISPs.Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

> ISP1 CableModem> \ /> \ /> --------------> Cisco 2621> | ---------------------------------> | |> Firewall Mail Server> |> --------------------> Company LAN

> > We just installed a T1 to the Internet to co-exist with our Cablemodem. I> am looking at ways to implement this. We currently have a Cisco 2621 with> the T1 connection and a Linux Box Masqing cablemodem Internet access now.> My question is, what would be the best way to implement this?> > I proposed we connect the Cablemodem into the 2621 (FEthernet interface)> next to the T1 connection (separate ISP's btw) and NAT.

That will work. But you need to use route-maps to match the outgoing interface (or next-hop) when you define your NAT pool. In a nutshell:

int fa0/0 ip addr blah ip nat outside!int fa0/1 ip addr blah ip nat outside!ip nat poop ISP1 ISP1_Valid_range_here prefix-length blahip nat pool Cable Cable_Valid_range_here prefix-length blah!! These uses below are allowed to use the NAT service.access-list 1 permit 10.0.0.0 0.255.255.255!

route-map ISP1 perm 10 match ip addr 1 match interface fa0/0!route-map Cable perm 10 match ip addr 1 match interfa fa0/1

**************************************************************************

From: Question 99Date: 02 February 2002Subject: How do I use IPX over DDR?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

> i have a special problem with ipx. i want to connect a remote ipx> segement over an DDV with two dedicated routers, the backup is DDR> 128kbit/s line also with to dedicated routers.> now my problem how can i change the ipx rip update information for the> remote ipx segment. in ip rip there is a possibility to take a command> like offset-list.> any ideas?

You can use floating static default routes along with an access list to deny the chatty traffic. For example:

int bri0 ipx watchdog-spoof ipx spx-spoof ! ! Turn off IPX route-cache so the above spoofs will work no ipx route-cache !!Define what should kick up this BRI line!dialer-group 1!! /* other pertinent config here */!!! Make IPX RIP uninterestingaccess-list 901 deny any any all any rip!! Make SAP uninterestingaccess-list 901 deny any any all any sap!! Make NetWare Serialization packets uninterestingaccess-list 901 deny any any all any 457!! Everything else can kick up the lineaccess-list 901 permit any any all any all!dialer-list 1 protocol ipx list 901

**************************************************************************

From: Question 100Date: 02 February 2002Subject: How can I automatically ping a range of IP addresses in Wintel world?Answer by: "Gregg Branham" <greggb@altusnet.com>

Suppose your subnet is 192.l68.100.X.

FOR /L %%i IN (1,1,254) DO ping 192.168.100.%%i

An even better way to do this would be to use NBTSTAT to collect NetBIOSnames and MAC address at the same time:echo header info here >> output.txtFOR /L %%i IN (1,1,254) DO nbtstat -A 192.168.100.%%i >> output.txt

**************************************************************************

From: Question 101Date: 02 February 2002Subject: Sample config of using VIC BRI interfaces as an ISDN switch.Answer by: "John Paul Morrison" <johnpaulmorrison@Hotmail.com>

Enter this under stupid router tricks (it's got to be more expensive than anISDN emulator, but not if you've got the parts lying around).

Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should worktoo), IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x

R1----S/T crossover cable----Switch----S/T crossover----R2

These configs let you do ISDN BRI dialup between two routers,using a third router as an ISDN switch. Call setup is flakey but otherwiseit seems to work once the call is up.

Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too)

!isdn switch-type basic-net3x25 routing!interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! whatever!interface BRI1/0 description to R1 no ip address isdn switch-type basic-net3 isdn overlap-receiving isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn x25 dchannel isdn skipsend-idverify!! Basic X.25 over D channel, so you can run pad commands! For always on, see the Cisco docs!

interface BRI1/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5552000 clns mtu 1514!interface BRI1/1 description to R2 no ip address isdn switch-type basic-net3 isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn skipsend-idverify!interface BRI1/1:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551000 clns mtu 1514!x25 route 5551111 interface BRI1/1:0x25 route 5552222 interface BRI1/0:0!voice-port 1/0/0!voice-port 1/0/1!dial-peer voice 1 pots incoming called-number 6045551111 destination-pattern 6045552222 direct-inward-dial port 1/0/0!dial-peer voice 2 pots incoming called-number 6045552222 destination-pattern 6045551111 direct-inward-dial port 1/0/1!dial-peer voice 10 voip destination-pattern 6045552222 session target ipv4:10.0.0.1 codec clear-channel!dial-peer voice 20 voip destination-pattern 6045551111 session target ipv4:10.0.0.1 codec clear-channel!

R1, R2 config (just reverse the 5551111/5552222 and 1.1.1.1/1.1.1.2)

!isdn switch-type basic-net3!interface BRI0/0 ip address 1.1.1.1 255.255.255.0

encapsulation ppp dialer string 6045552222 class DOV dialer-group 1 isdn switch-type basic-net3 isdn incoming-voice data isdn calling-number 6045551111 isdn x25 dchannel!interface BRI0/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551111!map-class dialer DOV dialer voice-calldialer-list 1 protocol ip permit!

**************************************************************************

From: Question 102Date: 02 February 2002Subject: How do I do X25 over ISDN D channel?Answer by: "John Paul Morrison" <johnpaulmorrison@Hotmail.com>

See Question 101.

**************************************************************************

From: Question 103Date: 02 February 2002Subject: What can I do to remove SAP Type 640 on my routers?Answer by: rtrgod@yahoo.com (Lee)

Check out these links for how to turn off the 640 SAP:http://support.microsoft.com/support/kb/articles/Q142/5/33.asphttp://support.microsoft.com/support/kb/articles/Q171/3/07.ASP

IMHO the 640 SAPs were M$'s way to mess with Novell. If you have twoMS workstations configured with the same name then all the Novellconsoles get flooded with 'server xxx was <net.node> is <net.node>'msgs (or some such. It's been a long time since we've had thatproblem :-)

MS will generate 64E SAPs also :-( I block them all. ie.access-list 1006 deny FFFFFFFF 640access-list 1006 deny FFFFFFFF 64Eaccess-list 1006 permit FFFFFFFF 0

access-list 1030 deny FFFFFFFF 30Caccess-list 1030 deny FFFFFFFF 45Aaccess-list 1030 deny FFFFFFFF 535access-list 1030 deny FFFFFFFF 640access-list 1030 deny FFFFFFFF 64Eaccess-list 1030 permit FFFFFFFF

interface <user subnet> ipx input-sap-filter 1006interface <WAN link> ipx output-sap-filter 1030 ! local area printing only (which is why I really believe MS was trying to screw Novell. I'vebeen filtering them out for years and have not had a single complaintfrom the users)

**************************************************************************

From: Question 104Date: 02 February 2002Subject: What kind of memory does the 2500 use?Answer by: Terry Kennedy <terry@gate.tmk.com>

Parity. 70ns, 72-pin FPM w/ tin leads.

**************************************************************************

From: Question 105Date: 02 February 2002Subject: How do I make an Ethernet Cross-over cable?Answer by: "Lindsay Druett" <lindsay@hnpl.net>

Try this as a crossover cable.

1 to 32 to 63 to 16 to 24 to 75 to 87 to 48 to 5

Basically in a traditional cross-over, which is a 10 BaseT and a 100 BaseTX,you are swapping the Green Pair with the Orange Pair, but not so commonly,you have a 100 BaseT4 cross-over cable (which just happens to also be a 1000BaseT cross-over cable), not only do you swap over the Green and OrangePair, but you also swap over the Blue and Brown Pair.

The silly part is that in Cisco's Documentation, it show the schematic on atraditional cross-over cable, but you will see the pin-outs of the 1000BaseT Interface.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/hig /hgcable.htm#xtocid42327

I have just made comment to Cisco About this.

**************************************************************************

From: Question 106Date: 02 February 2002Subject: How do I use NBAR to block NIMDA?Answer by: "Brad Ellis" <bradat@nospam.com> wrote in message

See: http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml

> Here's my working config (with thanks to John Kaberna and Chris> Martin) on a 2610 router:>>> ip cef>> class-map match-any http-hacks> match protocol http url "*default.ida*"> match protocol http url "*x.ida*"> match protocol http url "*.ida*"> match protocol http url "*cmd.exe*"> match protocol http url "*root.exe*"> match protocol http url "*_vti_bin*"> match protocol http url "*_mem_bin*"> match protocol http mime "*readme.exe*"> match protocol http mime "*readme.eml*">> policy-map mark-inbound-http-hacks> class http-hacks> set ip dscp 1>> interface Serial0/0> ip access-group 101 in> service-policy input mark-inbound-http-hacks>> interface Ethernet0/0> ip access-group 101 out>> access-list 101 deny ip any any dscp 1 log> access-lst 101 permit ip any any

**************************************************************************

From: Question 107Date: 02 February 2002Subject: What is a FECN/BECN and does it mean anything?Answer by: Bernie <Bernie@weekend.com>

First, when you use FR, it is not over a host to router connection.FR is going to be router to ingress-FR-switch through cloud toegress-FR-switch to destination-router. With that in mind, what youhave to worry about with exceeding your CIR is the ingress FR switch.FECN and BECNs are different mechanisms which I will explain in aminute.

Let me explain the algorithm that FR switches use to police yourbandwidth usage. It is a token/credit system that is implemented onthe *ingress* FR switch (so the ingress switch is the traffic cop).Keep in mind that everything that I am about to describe occursentirely within the FR switch, so when I say that you are given tokens

to transmit, I mean that in the software of the FR switch these tokensare kept track of, not that the FR switch transmits tokens to yourrouter to use for each frame. I'm going to start with a simplescenario in which you only have a CIR and an EIR of 0. Anyway, everysecond (which is the default interval, or Tc for those that want thereal term) you get Bc tokens which is essentially permission totransmit that many tokens worth of data over the time of that second.Bc tokens decrement against the CIR, which is to say that Bc tokensare used to regulate the CIR not the EIR (I will describe Be tokenslater). At the end of the second you are given more tokens for useduring the next second. Every time the FR switch receives data fromthe router, it subtracts tokens. What happens if you run out oftokens is that every frame will be discarded until the next intervalat which point you get more tokens. If it receives a frame markedwith a DE bit, it should discard it automatically.

However, most people don't buy FR service with a EIR of zero. In thiscase where you have a CIR and an EIR, the token credit system is alittle more complex. Every time interval (Tc) you get Bc tokens andBe tokens. In the case that you are not setting the DE on any frames,data received by the FR switch decrements credits from the Bc pooluntil exhausted. Suppose the FR switch now receives a frame but thereare no Bc tokens left (you will get more Bc tokens in the next timeinterval) at the time. The FR switch will check for a Be token, andif you have one, it will mark the DE field and transmit the frameacross the network and decrement tokens from the Be pool. Keep inmind that the Be pool represents your burst capabilities over andabove the CIR. IOW, Be tokens keep track of the EIR and Bc tokenskeep track of the CIR. Suppose the Be pool is exhausted and the Bcpool is exhausted and another frame arrives. It is dropped, period.At the next time interval you will get more Bc and Be tokens to use.

What happens if you mark your own DE frames? Well, when the ingressFR switch receives a non DE-marked frame, it will subtract against theBc token pool. If it receives a DE-marked frame, it will subtractagainst the Be token pool. If it receives a non DE-marked frame butthere are no Bc tokens left, the FR switch will mark it DE, transmitit and subtract Be tokens. If it receives any frame (regardless of DEor non DE-marked) and there are no Bc or Be tokens left, the frame isdropped. So really the use of marking your own DE frames simplyallows you to be the master of your own destiny by categorizing yourown data intelligently instead of letting the FR switch do it basedsimply on the order of arrival. And the reason you want to mark yourown packets has to do with how the network handles congestion (seebelow where I talk about BECN, etc.)

A couple of points are worth making. First, you cannot accumulatetokens over time. There is a maximum amount which is the value of thecommitted burst (Bc) and this value has a mathematical relationshipwith the CIR (CIR = Bc/Tc also EIR = Be/Tc). In almost all cases Tcis set to 1 second, so the result is that CIR = Bc and EIR = Be. Soif you have the maximum number of tokens in your Bc token pool (maxamount = Bc), and you send no frames for the next hour, you will stillonly have Bc amount of tokens when you send the next frame. Second,the above description is not 100% accurate so don't use it to teach aclass of newbie students. I simplified a number of things for thesake of getting the concepts across, and in the process I sacrificedthe accuracy of some of the information. For instance, you don't geta lump of tokens all at once as I described--in reality, your tokensreplenish gradually over the Tc interval. Third, you only need a

single token (which represents a byte of data) to transmit a frame.So if you are out of Bc tokens and you only have one Be token left,even if you send a 1500 byte frame, it will still be transmitted as DEand the last token will be subtracted.

Ok, so how does the FR network handle DE or non-DE frames?Different vendors of FR switches may be designed to operatedifferently, but I believe the following is the normal behavior. If anode within the cloud starts to experience *mild* congestion, itstarts setting the FECN, BECN, or both bits on frames traversing thenode. Routers connected to the FR cloud that receive BECN bits shouldslow their transmission by buffering frames and sending them slightlylater. Routers that receive FECN bits might (if there is a way)signal the sending router to slow transmission by buffering itsframes. If a node starts experiencing moderate congestion, it willstart dropping frames marked DE. At heavy and severe congestionlevels, the node will start dropping other traffic as well. Dependingon vendor, there may be many levels of priority traffic (i.e. gold vs.bronze customers) to determine exactly which frames to drop beforeothers when experiencing heavy and severe levels of congestion.

>> Say I have a CIR of 512 Kbps. Say the users in the site are generating 2>> Mbps data (internet surfing, email, etc) and I'm not using Discard>> Eligible(because I wouldn't know how to set that up anyway)>>>> Hear is my guesswork. The routers may try to send more than 256kbps. The>> switches will start sending FECN's and BECN's.

They shouldn't start generating FECNs and BECNs unless some FR switchalong the path is overloaded, and this (in theory) shouldn't happensince you are well below your CIR. IOW, the network should beengineered to be able to handle everyone's CIR on a statistical basis.If this were to happen on a regular basis, I would configure my routerto ignore BECNs/FECNs because I am paying for a CIR of 512k, and I'llbe darned if I'll let my NSP force my routers to throttle back when Iam only using half of my CIR. They are "committing" to 512k, so Iwant my 512k, not "256k if the network feels like it".

>> The routers will slow down sending rates. If a user is sending data to >> a router faster than it can route, what will it do? Does TCP Window sizes>> and acknowledgements between the PC's limit the rate at which the router >> will receive data, so that it is unlikely ever to be too busy?

Remember that TCP windowing is an end-to-end mechanism, so routers inbetween aren't part of the equation. PC's rarely send data *to* arouter, but rather *through* a router. So if a user is sending datathrough a router faster than it can route, the buffers in the routerfill up, overflow, and packets get dropped, resulting inretransmissions, and therefore the starting over of the TCP windowingsize.

>> If data is dropped by the router using DE, will the TCP resend process>> between the PC's be the normal recovery process?

Routers don't drop DE frames. That is a FR switch function, not arouter function. But, yes, ultimately TCP is the process by whichlost packets will be retransmitted.

**************************************************************************

From: Question 108Date: 02 February 2002Subject: How do I stop logging (generating snmp trap) for up/down interfaces?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Use the interface commands:

no logging event link-status no snmp trap link-status

**************************************************************************

From: Question 109Date: 02 February 2002Subject: How do I setup the variables to do tftpdnld in rommon?Answer by: "Niloupi" <niloupi@NOSPAM.sympatico.ca>

You can use tftp, if available ... if not no luck ... xmodem using consoleor another flash. and I think you can upgrade boot rom to support thecommand tftpdlnd but not sure about it:

IP_ADDRESS=10.1.1.16IP_SUBNET_MASK=255.255.255.0DEFAULT_GATEWAY=10.1.1.2TFTP_SERVER=10.1.1.2TFTP_FILE=ios.binFE_SPEED_MODE=0TFTP_VERBOSE=1tftpdnld -d

**************************************************************************

From: Question 110Date: 02 February 2002Subject: How do I get the memory-usage on the Vip-CardAnswer by: Christophe Fillot <cf@utc.fr>

You can log into the VIP by using "if-con <vip-slot>"undocumented command, and do a "show memory":

7500_UTC#if-con 0Console or Debug [C]: <===== Press enter hereEntering CONSOLE for VIP2 R5K 0Type "^C^C^C" or "if-quit" to end this session

VIP-Slot0#VIP-Slot0#sh mem Head Total(b) Used(b) Free(b) Lowest(b)Largest(b)Processor 607C34E0 25414648 15390076 10024572 10024572 9957660 PCI 30000000 4194312 4194168 144 144 92

If you want more details on dCEF memory usage on a VIP, you can do a

"sh ip cef sum".

**************************************************************************

From: Question 111Date: 02 February 2002Subject: What is the order of operation in terms how a packet is processed?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

From the book "Inside Cisco IOS Architechture":1) compression/decompression2) Encryption3) Inbound ACL4) Unicast revese path checking5) Input rate limiting6) Broadcast handling (ip helpers)7) Decrement TTL8) Inspect sybstem (FW features)9) Outside to Inside NAT10) Handle router alert flags in the IP header11) Search for outbound interface in the routing table12) Policy routing13) Handel web cache redirects14) Inside to Outside NAT15) Encryption16) Output ACL17) Final Inspect check18) TCP Intercept processing.

**************************************************************************

From: Question 40Date: 02 February 2002Subject: What are the differnt T1 jack type codes?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

RJ48-BLAH where BLAH =="C" Identifies a surface or flushmounted jack. "W" Identifies a wallmounted jack. "S" Identifies a single-line jack. "M" Identifies a multi-line jack. "X" Identifies a complex multi-line or series-type jack.

"X" variety can automatically loop up the line if you pull out the cable so it's usually call a "smartjack"

**************************************************************************

From: Question 113Date: 02 February 2002Subject: How do I show just one interface's configuration?Answer by: "harry" <ccie@blueyonder.co.uk>

My all time favourite "trick" is "show run int xx"" where x is the interface

in question

**************************************************************************

From: Question 114Date: 02 February 2002Subject: How can I search CCO for IS-IS related information?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Searching the CCO for IS-IS is a bit of a pain since you have two stop words and a hypen! So search the CCO for:

+is-+is

**************************************************************************

From: Question 115Date: 02 February 2002Subject: How can I script a network reachability test?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Today a trouble ticket was elevated to our design team. It seems a bunch of users are locking up while using Outlook with OpenMail servers. Not sure if it was network, Outlook, OpenMail server, or combination of the above. Since the users were somewhat senior level folks, it was not realistic to have to jot down detailed notes about when it happened etc.

Since the PCs were all Wintel based, I wrote this in a hurry to include in their "START" menu. Not being able to use Unix tools pretty much tied my hands, and I didn't put in a lot of error checking, but hey, I only had about 30 minutes to whip this up.

Although it's a bit simple hope you find it somewhat useful.

------ BEGIN BATCH FILE ----TITLE TESTING THE NETWORK@echo offclsecho.echo.echo.echo.echo.echo **********************************************************echo **********************************************************echo **********************************************************echo * *echo * *echo * Running network test........ *echo * This windows will close automatically when *echo * the testing has been completed. *echo * *echo * Please call XYZ at XYZ if you have any questions *echo * *echo * *echo **********************************************************

echo **********************************************************echo **********************************************************:: Create a temp folder for our use and start with some flower: box delimeters:if not exist c:\mailte$t md c:\mailte$techo ***************************************>> c:\mailte$t\%username%.txtecho ***************************************>> c:\mailte$t\%username%.txt:: Pipe in some blank lines and date time stamp.echo. >> c:\mailte$t\%username%.txtecho.|date | find /i "current" >> c:\mailte$t\%username%.txtecho.|time | find /i "current" >> c:\mailte$t\%username%.txtecho. >> c:\mailte$t\%username%.txt:: Start a trace route w/o Rev-DNS lookups to our servers.: The server name is given as a command line argument.echo TRACE ROUTING TO %1 >>c:\mailte$t\%username%.txttracert -d %1.blah.foobar.com >>c:\mailte$t\%username%.txtecho. >> c:\mailte$t\%username%.txt:: ping with max sized ICMP packetsecho PINGING to %1 >>c:\mailte$t\%username%.txt::!!!unwrap the next two lines!!!ping -L 1472 %1.blah.foobar.com | find /i "Reply from" >>c:\mailte$t\%username%.txt:echo. >> c:\mailte$t\%username%.txtecho. >> c:\mailte$t\%username%.txt:: Now ftp it to the 2.104 server using the script file: C:\ftpcmd.txt:ftp -s:c:\ftpcmd.txt x.x.2.104exit

Contents of ftpcmd.txt file:ciscocisco1put c:\mailte$t\*.txtbyeexit

Basically, it's usernamepasswordftp commandftp commandetc. etc.

**************************************************************************

From: Question 116Date: 02 February 2002Subject: How can I access the console port on my MSFC in my 6500?Answer by: "Brian V" <harleydavidson1.diespammer@mediaone.nospam.net>

Yes, I've done it many times. I believe the cable is a plain ole ethernetcable, no need to make anything special, just make sure you have a regularpatch cable. You'll actually need two of them. One for your laptops niccard (so you can tftp the new image). One for the console connection. Theresactually 2 rj45 ports on the sup board. Ones for the pfc and one for themsfc. I have to rebuild a couple of data centers this morning that has acouple 6509's in it.

It's the jack labeled P7, it's the one to the far right of the motherboard.It uses a straight thru, plain ole ethernet cable. There only two jacksinside, so it's pretty straight forward. If you want the pics, ping meoffline and I'll email em to you.

**************************************************************************

From: Question 117Date: 02 February 2002Subject: How do I access my MSFC/Router in my 6509?Answer by: Roberto Piersante (rp67@libero.it)

From supervisor1 reset module 15, then "switch console" and send a break:

switch(enable) reset 15Unsaved configuration on module 15 will be lostDo you want to continue (y/n) [n]? y2000 Jun 23 06:36:59 %SYS-5-MOD_RESET:Module 15 reset from Console//Resetting module 15...switch(enable) switch consoleTrying Router-15...Connected to Router-15.Type ^C^C^C to switch back.../* (A break-sequence has been sent here) */

monitor: command "boot" aborted due to user interruptrommon 1 >Also look this link:http://www.cisco.com/warp/public/474/pswdrec_6000MSFC.html

**************************************************************************

From: Question 118Date: 10 February 2002Subject: Where can I find a list of undocumented IOS commands?Answer by: "ozzig" <billybellend2000@yahoo.MYPANTScom>

http://www.boerland.com/dotu/

**************************************************************************

From: Question 119Date: 10 February 2002

Subject: Where can I find information on securing or hardening Cisco routers?Answer by: "James R. Quinn" <jquinn@jquinn.org>

Cisco Router Hardening Step-by-Stephttp://rr.sans.org/firewall/router2.php

Improving Security on Cisco Routers:http://www.cisco.com/warp/public/707/21.html

Cisco PSIRT Advisorieshttp://www.cisco.com/warp/public/707/advisory.html

Cisco's Security Technical Tipshttp://www.cisco.com/warp/public/707/index.shtml

Strategies to Protect Against Distributed Denial of Service (DDoS) Attackshttp://www.cisco.com/warp/public/707/newsflash.html

Characterizing and Tracing Packet Floods Using Cisco Routershttp://www.cisco.com/warp/public/707/22.html

Denial of Service (DoS) Attack Resourceshttp://www.denialinfo.com/

**************************************************************************

From: Question 120Date: 10 February 2002Subject: How can I connect two Cisco routers back to back through the AUX ports?Answer by: "James R. Quinn" <jquinn@jquinn.org>

Connecting Routers Back-to-Back Through the AUX Portshttp://www.cisco.com/warp/public/793/access_dial/auxback.html

Configuring AUX-to-AUX Port Async Backup with Dialer Watchhttp://www.cisco.com/warp/public/471/aux-aux-watch.html

Using the AUX Port on Cisco Routers for IP/IPX Router Communicationshttp://www.networkingunlimited.com/white006.html

**************************************************************************

From: Question 121Date: 02 February 2002Subject: How do I use Secure Shell (SSH) on Cisco devices?Answer by: "James R. Quinn" <jquinn@jquinn.org>

Configuring Secure Shell (SSH) on Cisco IOS® Routershttp://www.cisco.com/warp/public/707/ssh.shtml

How to Configure SSH on Catalyst Switches Running CatOShttp://www.cisco.com/warp/public/707/ssh_cat_switches.html

**************************************************************************

From: Question 122Date: 10 February 2002Subject: Can I use a /31 address space for my serial point-to-point interfaces?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

It depends. If you have 12.2.x release of IOS, you can use /31 address.For example:interface Serial5/1 ip address 192.168.1.1 255.255.255.254 See the following for more information:http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t /122t2/ft31addr.htm

**************************************************************************

From: Question 123Date: 29 May 2002Subject: How do i see log messages on the router console?Answer by: "Phillip Remaker" <remaker@cisco.com>

Log messages are broken into 7 levels, and they can go to 3 places:

- Console (console logging)- Monitor (any line configured with "monitor" or with the "terninal monitor"exec command)- trap (syslog)

The command to turn up log messages is "logging (place) (level)"

In your case, you probably want

logging console informational

for minumum messages or

logging console debug

for debugging messages.

Tip: console logging is disabled by default because the console serial portmakes 1 interrupt per character, and has the highest prioriy of anyinterrupt on the box. If you want to do console logging, you shouldprobably also rate limit the messages, since an uncontrolled flood ofmessages to the console can literally cause the box to slow to a crawl andfail.

In most cases, it is a better idea to telnet to the box, and debug using'monitor' logging and "terminal monitor" on the vty.

**************************************************************************

From: Question 124

Date: 29 May 2002Subject: What is my overhead of using IPSecAnswer by: alan@internal.wj.com (Alan Strassberg)

IPSec Overhead [ from another net posting ]esp-des = 24 bytes esp-3des = 24 bytes ah-sha-hmac = 24 bytes ah-md5-hmac = 24 bytes esp-md5-hmac = 12 bytes esp-sha-hmac = 12 bytes standard header = 20 bytes

esp-des/esp-md5-hmac = 56 bytes esp-3des/esp-sha-hmac = 56 bytes esp-des/ah-sha-hmac = 68 bytes esp-des/ah-md5-hmac = 68 bytes esp-des/ah-sha-hmac/esp-sha-hmac = 80 bytes

other gre = 24 bytes

For example I use ESP over AH with a GRE tunnel in tunnel mode.20 (IP header) + 24 (AH header) + 16 (ESP header) + 4 (GRE) +2 (ESP trailer)

My MTU is 1500 - 66 = 1434

alan

**************************************************************************

From: Question 125Date: 29 May 2002Subject: What is the pinout for the DB9 to RJ45 connector?Answer by: "ferg" <ferg@somewhere.com>

ok, I just tested the pinouts of a DB9-RJ45 adapter that I have her...thisis what I found:

DB9 RJ451 - nothing2 - 63 - 34 - 25 - 4&5 together6 - 77 - 18 - 89 - nothing

**************************************************************************

From: Question 126Date: 29 May 2002Subject: Should I use a T1, Cable modem or DSL for Internet connections?Answer by: vcjones@NetworkingUnlimited.com (Vincent Jones)

This question comes up often enough it probably should be in theFAQ. Each has its advantages and each has its weaknesses. Which isbest will depend upon the specific business requirements and how thenetwork is used.

T1/E1 - Providers tend to treat T1's as serious business products. Theytend to be better managed and service response to outages is usuallyquick. Data rate is a constant, if you order 1.544Mbps, you get 1.544Mbps in both directions. (Note: fractional T1 may be available withasymmetric capacity provisioned).

DSL - Providers consider this a "consumer grade" offering. Usersexperience has been more frequent outages. More important, responseto failures that do occur tends to be slow, particularly if the localtelco providing the copper is competing with the DSL provider. ADSLprovides asymmetric data rates, but "business grade" offerings,such as IDSL and SDSL provide the same data rates both upstream anddownstream. High data rates are only available to users close to thetelephone central office.

Cable - Shared medium subject to fluctuating bandwidth availability.Reliability will depend upon the local cable company, and can varywidely. On average, tends to be about as available as DSL. Onlyavailable in areas wired for cable TV, which could limit availabilityin business parks and other non-residencial areas. Also only availablewhere the cable franchise has chosen to offer the service.

Other Considerations (feel free to add ones I've missed)

Provisioning of redundant connectivity for servers offered to thepublic versus internal users browsing the Internet versus VPNs forcost savings all have very different requirements and solutionssuitable for one may not work with the others.

BGP support for multihoming is typically only available on T1links. But then again, if you're only surfing or VPNing there areeasier ways to get redundancy that do not require BGP.

In most markets, you can buy a lot of ISDN backup for the pricedifference between DSL/Cable and T1.

Many DSL/Cable providers will block VPN and inbound traffic to yourservers unless you purchase their premium "business" service. Makesure the conditions of service are compatible with your needs.

DSL is rarely good backup for T1 because both share the same singlepoints of failure in the telco local loop provisioning. Cable canprovide more diversity as a backup, but may still be sharing commonsingle points of failure such as power poles.

**************************************************************************

From: Question 127Date: 29 May 2002Subject: How do I change the time length of 15 mins that is used when displaying the Show ISDN history command?

Answer by: John Zwaanswijk

You can try the command isdn-mib retain-timer

**************************************************************************

From: Question 128Date: 29 May 2002Subject: Why do I see "double" characters when I telnet into my router?Answer by: Barry Margolin <barmar@genuity.net>

>I have a 2500 router, and it's display double commands as shown below.>cclloocckk rraattee 6644000000>what can I do to fix it. Thanks.

Looks to me like you have local echoing configured on your terminalemulator. Turn it off and let the router do all the echoing.

**************************************************************************

From: Question 129Date: 29 May 2002Subject: How do I see power-supply failures via SNMP?Answer by: "Hennen, David" <David.Hennen@gtech.com>

you need two commands

set snmp trap enable chassisset snmp trap (ip address of snmp host) (public community string)

the first one tells the switch to send traps on chassis events, like a powersupply failing. the second tells the switch where to send the trap

**************************************************************************

From: Question 130Date: 29 May 2002Subject: How do I change the timer for tx/rxload when doing "show int" command?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Interface command: load-interval IN_SECONDS

**************************************************************************

From: Question 131Date: 29 May 2002Subject: How do I setup SLIP on my Cisco terminal servers?Answer by: Aaron@Cisco.COM (Aaron Leonard)

Here's an example:

interface async 1

encapsulation slip ! the default ip unnumbered ether0 peer default ip address 10.1.2.3 async mode interactive

line 1 speed 19200 ! or whatever flowcontrol hardware ! or whatever - but not software! stopbits 1 modem dialin ! assuming that the DTE's DTR is wired to our DSR

**************************************************************************

From: Question 132Date: 29 May 2002Subject: How do I setup FR End-to-End keepalives?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

I believe so. Just so we're clear (to the original poster) bandwidth on demand is the ability to kick up a line when you reach a certain threshold. floating static can't be used since the lower admin-distance route will never get a chance to float up.

FR e-t-e can be setup as follows:

int s0/0 blah frame-relay class end-to-end-keepalive blah!map-class frame-relay end-to-end-keepalive frame-relay end-to-end keepalive mode bidirectional

**************************************************************************

From: Question 133Date: 29 May 2002Subject: What basic information do I need to setup a T1 from my ISP?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

Tell them "I'm going to use B8ZS and ESF and I'll provide the clocking"

> What must I decide for myself?IP address and encapsulation type (ppp or hdlc - the default)

> What commands are going to get me operational?

On the router that will provide the clocking (only one side needs to provide clocking)

enableconf t interface s0/0 ! or wherever you have the WIC1-DSU-T1 ! Have this router provide the clocking. Alternative is to take it ! from the line on both sides and have the Telco provide the clocking.

! service-module t1 clock source internal ! !Use ESF framing as opposed to Superframe (D4) ESF is the default, ! service-module t1 framing esf ! !Use B8ZS (Binary 8, zero substitution as opposed to ! AMI - Alternate Mark Inversion. B8ZS is the default. ! service-module t1 linecode b8zs ! use ppp when connecting to a non-cisco router. HDLC is the default ! encapsulation ppp ! ip addres 192.168.1.1 255.255.255.0 no shut

On the other side, leave out the "service-module t1 clock source" and use"service-module t1 clock source line" instead.

**************************************************************************

From: Question 134Date: 29 May 2002Subject: How do I setup NAT and Port forwarding?Answer by: Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>

int e0/0 desc This is the inside address using RFC address ip addr 10.1.1.1 255.255.255.0 ip nat inside!int s0/0 desc This goes to the ISP using assigned address x.x.x.1/30 ip address x.x.x.1 255.255.255.252 ip nat outside!! Next line determines who will get to use the NAT! Anyone coming from 10.1.1.0 address will be NATed.access-list 1 permit 10.1.1.0 0.0.0.255!! Next line assumes that you want to use one IP for everyone! and use the port address translation. In your case, you could! actually use one to one translation.!ip nat inside source list 1 interface serial0/0 overload!!Set up a static translation so you can telnet into your server!Assume your server is at 10.1.1.5!ip nat inside source static tcp 10.1.1.5 23 x.x.x.1 23!!or forward http traffic to your 10.1.1.4 server!

ip nat inside source static tcp 10.1.1.4 80 x.x.x.1 80

**************************************************************************

From: Question 135Date: 29 May 2002Subject: Where can I buy some Back-to-Back serial cables?Answer by: vcjones@NetworkingUnlimited.com (Vincent Jones)

www.pacificcable.comwww.anthonypanda.com

**************************************************************************

From: Question 136Date: 29 May 2002Subject: How can I policy-route router generated packets?Answer by: "Erick B." <erickbe@yahoo.com>

You need a 'ip local policy route-map ROUTE_MAP_NAME if you wanttraffic sourced from the route map to go through policy (ie: pings).

**************************************************************************

From: Question 137Date: 29 May 2002Subject: Is there another way to upload my IOS w/o a tftp server?Answer by: "Paul Lalonde" <plalonde2@cogeco.ca>

Here's what I do when I need to upgrade a router's IOS and I don't have LANor sync serial access to it for TFTP purposes.

1. Plug the following code into the router to configure it for PPP on theAUX port:

interface Async1 ip address 192.168.255.254 255.255.255.252 encapsulation ppp no ip route-cache async default routing async mode dedicated!ip default-gateway 192.168.255.253!line con 0line aux 0 no exec exec-timeout 0 0 modem InOut transport input all stopbits 1 rxspeed 38400 txspeed 38400 flowcontrol hardware

2. Configure a "dialup networking" entry on my Windows PC using theNULL-MODEM driver available from the following Cisco URL:

http://www.cisco.com/warp/public/471/103.html

Configure the dialup networking entry to use 192.168.255.253 as the IPaddress of the dialing interface.

3. Start up the TFTP server on my Windows PC.

4. Connect to the router from my Windows PC using the dialup networkingentry.

5. Open up the router console and use regular TFTP commands to pull theimage across.

Depending on what family of router you have (2500, 2600) your AUX port willaccommodate up to 38400 (older families) or 115200 (newer families).

**************************************************************************

From: Question 138Date: 29 May 2002Subject: What does the keyword EXTENDABLE mean when doing NAT?Answer by: Josh Duffek (jduffek@cisco.com)

From: http://www.cisco.com/warp/public/701/60.html

"Extendable" static translations:

The extendable keyword allows the user to configure several ambiguousstatic translations, where an ambiguous translations are translations withthe same local or global address.

ip nat inside source static <localaddr> <globaladdr> extendable

Some customers want to use more than one service provider andtranslate into each provider's address space. You can use route-maps tobase the selection of global address pool on output interface as well as an access-listmatch. Following is an example:

ip nat pool provider1-space ... ip nat pool provider2-space ... ip nat inside source route-map provider1-map pool provider1-space ip nat inside source route-map provider2-map pool provider2-space ! route-map provider1-map permit 10 match ip address 1 match interface Serial0/0 ! route-map provider2-map permit 10 match ip address 1 match interface Serial0/1 . . .

Once that is working, they might also want to define static mappingsfor a particular host using each provider's address space. The softwaredoes not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these statictranslations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation.

**************************************************************************

From: Question 139Date: 29 May 2002Subject: Where can I get some third party icons for my Visio program?Answer by: "Mike Gortych" <mgortych@ntplx.com>

Check out www.altimatech.com they sell a product called netzoom that has agreat cisco library that they keep up to date, they even take requests!

**************************************************************************

From: Question 140Date: 29 May 2002Subject: Can you help me interpret the output fomr "Looking Glass" (BGP?)Answer by: Barry Margolin <barmar@genuity.net>

>I am learning BGP.>I notice a lot of our engineers where I work use looking glass at>www.traceroute.org to get answers to a lot of their questions.>Unfortunately it's hard to get them to give me a seminar. >Looking glass isn't covered in my cisco press books.>I am having a hard time grasping when I would need to use looking>glass.>and particularly how to use it.>>I put in an ameritrade address and it gives me the following.>>Query: bgp>Addr: 64.236.2.194>BGP routing table entry for 64.236.0.0/16, version 89281795>Paths: (2 available, best #2)> Not advertised to any peer> 1668> 66.185.128.93 (metric 445601) from 165.117.1.194 (165.117.1.194)> Origin IGP, metric 4294967294, localpref 105, valid, internal> Community: 2548:177 2548:209 2548:666 3706:115> 1668> 66.185.128.51 (metric 410701) from 165.117.1.166 (165.117.1.166)> Origin IGP, metric 4294967294, localpref 105, valid, internal,>best> Community: 2548:177 2548:317 2548:666 3706:164>>>What peer problems would arise where I may need this information?>especially considering I would need to have a peer address to put in

>in the first place.

This is usually used to confirm that a route is being advertised by theproper ISP. You don't put peer addresses in, you put destination networkaddresses in.

>I see there are communities. not sure who the community members are or>what the parameters contained in the community attribs are. Any way to>find out?

Most communities don't have standard meanings. Each AS assigns meanings tothe communities that it cares about. By convention, communities are formedby concatenating the ASN that's using the community with a second numberthat the AS network administrators assign, so the communities shown aboveare meaningful to AS 2548 and AS 3706. Communities are often used by ISPsto allow their customers to influence routing parameters; for instance, thecustomer can often send communities that control what localpref the ISPassigns to the routes.

>Any good hints/web-links on how to use or get the most out of the>looking glass site would be appreciated.

There's nothing really special about the looking glass, it's just showingyou the output of "show ip bgp" (and other router commands). It's nodifferent from doing it on your own routers, but the looking glass lets youdo it from outside your network, so you can tell whether a problem isspecific to your network or more widespread.

>Thank you for that enlightening input.>>This time I queried.>Query: bgp>Addr: 216.202.0.0>It is a Genuity address.>>Here is the output below.>Could someone explain >" Advertised to non peer-group peers:> 198.32.187.122 " this belongs to : Exchange Point Blocks (NET-EP-)

That's a BGP neighbor of the looking glass router, which the router willshare this route with.

>Also Genuity actually owns AS number "1" (Very prestigious).>from the first entry>"4.24.7.77 (metric 345601) from 165.117.1.127"> it looks like Genuity 4.24.x.x is learning this from Digex>165.117.1.127>Why would Genuity learn their own address from Digex.

No, it means that *this* router (Digex's router at MAE-EAST) learned theroute from 165.117.1.127. Since Digex doesn't connect to Genuity atMAE-EAST (tier 1 ISPs use private peering amongst each other, we only usethe public exchanges to connect with smaller ISPs), it has to learn Genuityroutes via the Digex backbone.

>Also could I assume that just because there is no path with AOL in it>that AOL doesn't have a path to them?

No. The looking glass is just showing the routes from Digex to thedestination. Why would traffic from Digex to Genuity go through AOL?

**************************************************************************

From: Question 141Date: 29 May 2002Subject: When using Tunnel with an interface that has an ACL, what happens?Answer by: Barry Margolin <barmar@genuity.net>

>I'm doing an IP tunnel between 2 routers with the command>interface tunnel which has the ethernet0 source.>Is the access-list applied on the ethernet0 inbound although filter the>tunnel traffic ?

Yes. When traffic arrives, it will first be processed by the ethernetinterface's inbound access list. If it is permitted in, the router willthen de-encapsulate the tunnel traffic, and it will be processed by thetunnel interface's inbound access list.

**************************************************************************

From: Question 142Date: 29 May 2002Subject: Do I need a Xover cable when using 1000Base-T?Answer by: rich@richseifert.com (Rich Seifert)

> It guess it depends on the 1000baseT NICs. On mine, I've used both a > crossover cable and a stright thru cable just fine to connect two NICs. > They autonegotiate >

Correct. First of all, 1000BASE-T *requires* Auto-Negotiation; it isn'tdesigned to work without it. Second, most 1000BASE-T equipment implements afunction that detects whether the cable is straight-through or crossover,and automatically configures itself to work either way. (During the startuptraining, it can tell how the pairs are connected, and connect each pair tothe appropriate decoder module.)

**************************************************************************

From: Question 143Date: 29 May 2002Subject: How dow I break the "Rule of Ten" for BGP Load balancing?Answer by: "Cajun" <cajun@cyberspace.org>

That's not true. BGP WILL join two lines AND load balance across them. Thetrick is, you have to make every single one of the "Rule of Ten" rulesequal; which is not a difficult thing to do. Weights, MED's, Local Prefence,AS-Path, etc, will all most likely be identical, provided both T1's comefrom the same provider (yes, I know he said they're different providers.)You can load-balance with BGP across two links, provided the links terminateon the same router on both end. With everything else being equal, BGP willsnag on the last rule, using the IP address of the interfaces to decide

which path to take. All you have to do is break that last rule and you'rehome free.

Here's how you do it:1) Place static routes on each router pointing across each link to get tothe other's loopback address.2) Set up your neighbor statements with each other's loopback address.3) Put in a neighbor statement with an update-source of your loopbackaddress.4) Enter another neighbor statement with ebgp-multihop.

BAM! You're done. You've just now broken the "Rule of Ten." BGP will have nochoice but to enter two routes into the routing table, which will loadbalance.

**************************************************************************

From: Question 144Date: 29 May 2002Subject: How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?Answer by: Barry Margolin <barmar@genuity.net>

router bgp ##### no sync ! advertise your address block network 1.2.3.a mask 255.255.255.224 neighbor x.x.x.x remote-as x neighbor x.x.x.x filter-list 1 out neighbor x.x.x.x distribute-list 1 in neighbor y.y.y.y remote-as y neighbor y.y.y.y filter-list 1 out neighbor y.y.y.y distribute-list 1 in ! IBGP between the two routers neighbor 1.2.3.b remote-as #####

! Only advertise locally-originated routes, not transit routesip as-path access-list 1 permit ^$

! Only accept a default routeaccess-list 1 permit 0.0.0.0

**************************************************************************

From: Question 145Date: 29 May 2002Subject: Should I turn off console loggin??Answer by: "Phillip Remaker" <remaker@cisco.com>

crashinfo reads from the log buffer, not the console itself. If you want tohave console messages included in crashinfo, you may turn on logging consoleBUT you also want to be sure logging buffered is on. Once logging bufferedis on, console messages do not go to the physical console port and theinterrupt problem is circumvented.

> My question is if it is good default practice to turn off console> logging or not?

You should turn it off unless you are using logging buffered. It is off bydefault in modern IOS versions.

>And on router (e.g. 7200 and 2600) that have console> logging disable, would it reduce the useful info on crashinfo file when> the router crashed?

Yes. But again, it will only save information from 'logging buffered.' Soif you want the information, you can turn on logging console, but only ifyou also use logging buffered....

**************************************************************************************************************************************************** HALL OF FAME FOR VERSION 2.0 AND ABOVE****************************************************************************************************************************************************

1X "Alberto Colmenero" <san@mobilix.dk>1X "aros.net" <nelson@aros.net>1X "BM" <bmorgan@dont.spam.me.ieee.org>1X "Brad Ellis" <bradat@nospam.com> wrote in message1X "Brian V" <harleydavidson1.diespammer@mediaone.nospam.net>1X "Brian" <nondogmatist@hotmail.com>1X "bt" <@speakeasy.org>1X "Gregg Branham" <greggb@altusnet.com>1X "harry" <ccie@blueyonder.co.uk>1X "Ian M" <ian.mulvihill.no.spam@computer.org>1X "Joel" <joelyung@yeah.net>1X "John Kaberna" <jkaberna@netcginc.com>1X "Laron Swapp" <laron.d.swapp@intel.com>1X "Lindsay Druett" <lindsay@hnpl.net>1X "MikeN" <miken@mail.ikano.com>1X "Niloupi" <niloupi@NOSPAM.sympatico.ca>1X "Patrick M. Hausen" <hausen@nospam.de>1X "Pawel Sikora" <psi@polbox.WYCIEP-TO.pl>1X "Steven Griffin" <segjr@gte.net>1X Alex Bakhtin <bakhtin@amt.ru>1X Bernie <Bernie@weekend.com>1X Christophe Fillot <cf@utc.fr>1X Dave Phelps <tippenring@nospam.bigfoot.com>1X domesjoe@ljusdal.net1X John Agosta <jagosta@interaccess.com>1X levinm@iserv.net (Martin H. Levin)1X mortimer_mouse@mailandnews.com (Mortimer Mouse)1X news@tvolk.de (Thomas Volk)1X Paul J Murphy <paul@murph.org>1X Paul Koch <paul.koch@statscout.com>1X Roberto Piersante (rp67@libero.it)1X rodd@panix.com (Rod Dorman)1X rtrgod@yahoo.com (Lee)1X "ozzig" <billybellend2000@yahoo.MYPANTScom>1X "ferg" <ferg@somewhere.com>

1X John Zwaanswijk1X "Hennen, David" <David.Hennen@gtech.com>1X "Erick B." <erickbe@yahoo.com>1X "Paul Lalonde" <plalonde2@cogeco.ca>1X "Mike Gortych" <mgortych@ntplx.com>1X "Cajun" <cajun@cyberspace.org>

2X alan@internal.wj.com (Alan Strassberg)2X Richard Gallagher <rgallagh@cisco.com>2X "John Paul Morrison" <johnpaulmorrison@Hotmail.com>2X rich@richseifert.com (Rich Seifert)

3X "Josh Duffek" <joshd@cisco.com>3X "James R. Quinn" <jquinn@jquinn.org>3X "Phillip Remaker" <remaker@cisco.com>

4X Barry Margolin <barmar@genuity.net>

5X Terry Kennedy <terry@gate.tmk.com>5X vcjones@NetworkingUnlimited.com (Vincent C Jones)

6X Aaron@Cisco.COM (Aaron Leonard)6X Michael Shorts (mshorts@cisco.com)

25X Hansang Bae <hbae_@_nyc.rr.com.REMOVE_>