100 CU HI K THUT V MNG CISCO THUNG GP

************************************************************************* * From: Question 1 Subject: What does ``cisco'' stand for?

cisco folklore time: At one point in time, the first letter in cisco Systems was a lowercase ``c''. At present, various factions within the company have adopted a capital ``C'', while fierce traditionalists (as well as some others) continue to use the lowercase variant, as does the cisco Systems logo. This FAQ has chosen to use the lowercase variant throughout.

cisco is not C.I.S.C.O. but is short for San Francisco, so the story goes. Back in the early days when the founders Len Bosack and Sandy Lerner and appropriate legal entities were trying to come up with a name they did many searches for non similar names, and always came up with a name which was denied. Eventually someone suggested ``cisco'' and the name wasn't taken (although SYSCO may be confusingly similar sounding). There was an East Coast company which later was using the ``CISCO'' name (I think they sold in the IBM marketplace) they ended up having to not use the CISCO abberviation. Today many people spell cisco with a capital ``C'', citing problems in getting the lowercase ``c'' right in publications, etc. This lead to at least one amusing article headlined ``Cisco grows up''. This winter we will celebrate our 10th year. [This text was written in July of 1994 -jhawk] ************************************************************************* * From: Question 2 Subject: How do I save the configuration of a cisco?

If you have a tftp server available, you can create a file on the server for your router to write to, and then use the write network command. From a typical unix system: mytftpserver$ touch /var/spool/tftpboot/myconfig mytftpserver$ chmod a+w /var/spool/tftpboot/myconfig

myrouter#copy running-config tftp Remote host [10.7.0.63]? 10.7.0.2 Name of configuration file to write [myrouter-confg]? myconfig Write file foobar on host 10.7.0.2? [confirm] y ************************************************************************* * From: Question 3 Subject: How can I get my cisco to talk to a third party router over a serial link?

You need to tell your cisco to use the same link-level protocol as the other router; by default, ciscos use a rather bare variant of HDLC (High-level Data Link Control) all linklevel protocols use at some level/layer or another. To make your cisco operate with most other routers, you need to change the encapsulation from HDLC to PPP on the relevant interfaces. For instance:

sewer-cgs#conf t Enter configuration commands, one per line. Edit with DELETE, CTRL/W, and CTRL/U; end with CTRL/Z

interface serial 1 encapsulation ppp ^Z

sewer-cgs#sh int s 1

Serial 1 is administratively down, line protocol is down Hardware is MCI Serial MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec, rely 255/255, load 1/255 Encapsulation PPP, loopback not set, keepalive set (10 sec) ^^^^^^^^^^^^^^^^^^^^^^^^^^ [...]

If you're still having trouble, you might wish to turn on serial interface debugging:

sewer-cgs#ter mon sewer-cgs#debug serial-interface ************************************************************************* *

From: Question 4 Subject: How can I get my cisco to talk to a 3rd-party router over Frame Relay?

You should tell your cisco to use ``encapsulation frame-relay ietf'' (instead of ``encapsulation frame-relay'') on your serial interface that's running frame relay if your frame relay network contains a diverse set of manufacturers' routers. The keyword ``ietf'' specifies that your cisco will use RFC1294-compliant encapsulation, rather than the default, RFC1490-compliant encapsulation (other products, notably Novell MPR 2.11, use a practice sanctioned by 1294 but deemed verbotten by 1490, namely padding of the nlpid). If only a few routers in your frame relay cloud require this, then you can use the default encapsulation on everything and specify the exceptions with the frame-relay map command:

frame-relay map ip 10.1.2.3 56 broadcast ietf ^^^^ (ietf stands for Internet Engineering Task Force, the body which evaluates Standards-track RFCs; this keyword is a misnomer as both RFC1294 and RFC1490 are ietf-approved, however 1490 is most recent and is a Draft Standard (DS), whereas 1294 is a Proposed Standard (one step beneath a DS), and is effectively obsolete).

************************************************************************* * From: Question 5 Subject: How can I use debugging?

The ``terminal monitor'' command directs your cisco to send debugging output to the current session. It's necessary to turn this on each time you telnet to your router to view debugging information. After that, you must specify the specific types of debugging you wish to turn on; please note that these stay on or off until changed, or until the router reboots, so remember to turn them off when you're done.

Debugging messages are also logged to a host if you have trap logging enabled on your cisco. You can check this like so: sl-panix-1>sh logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level debugging, 66 messages logged Monitor logging: level debugging, 0 messages logged Trap logging: level debugging, 69 message lines logged Logging to 198.7.0.2, 69 message lines logged sl-panix-1>

If you have syslog going to a host somewhere and you then set about a nice long debug session from a term your box is doing double work and sending every debug message to your syslog server. Additionally, if you turn on something that provides copious debugging output, be careful that you don't overflow your disk (``debug ip-rip'' is notorious for this). One solution to this is to only log severity ``info'' and higher: sl-panix-1#conf t

Enter configuration commands, one per line. End with CNTL/Z. logging trap info

The other solution is to just be careful and remember to turn off debugging. This is easy enough with: sl-panix-1#undebug all

If you have a heavily loaded box, you should be aware that debugging can load your router. The console has a higher priority than a vty so don't debug from the console; instead, disable console logging:

cix-west.cix.net#conf t Enter configuration commands, one per line. End with CNTL/Z. no logging console

Then always debug from a vty. If the box is busy and you are a little too vigorous with debugging and the box is starting to sink, quickly run, don't walk to your console and kill the session on the vty. If you are on the console your debugging has top prioority and then the only way out is the power switch. This of course makes remote debugging a real sweaty palms adventure especially on a crowded box.

************************************************************************* * From: Question 6 Subject: How do I avoid the annoying DNS lookup if I have misspelled a command?

Use the command

No ip domain-lookup ************************************************************************* * From: Question 7 Subject: How to use access lists

Where in the router are access lists applied?

In general, Basic access lists are executed as filters on outgoing interfaces. Newer releases

of the cisco code, such as 9.21 and 10, do have increased ability to filter on incoming ports. Certain special cases, such as broadcasts and bridged traffic, can be filtered on incoming interfaces in earlier releases. There are also special cases involving console access.

Rules, written as ACCESS-LIST statements, are global for the entire cisco box; they are activated on individual outgoing interfaces by ACCESS-GROUP subcommands of the INTERFACE major command. Filters are applied after traffic has entered on an incoming interface and gone through a routing process; traffic that originates in a router (e.g., telnets from the console port) is not subject to filtering.

+-------------------+ | | | Routing |^ v |^ v GLOBAL | | Access | Lists | |

+-^--v--------^---v-+ |^ v |^ v ^ v| ^ v|

A----------->|-| |>>>>Access >>----------->B |1 <------------| | | | | Group 2 | |<-----------

+-------------------+

Some types of ``filter,'' using ``filter'' as a broader class than ACCESS-LIST, can operate on incoming traffic. For example, the INPUT- SAP-FILTER used for Novell networks is applied to Service Advertisement Packets (SAP) seen at incoming interfaces. In general, incoming filtering can only be done for ``system'' rather than user traffic.

Rules of thumb in defining access lists. First, define what you want to do and in which directions. An informal drawing is a good first step. As opposed to the usual connectivity drawings among routers, it's often convenient to draw unidirectional links between routers. Second, informally write out your filtering rules. In general, it is best to go from most specific to least specific. Modify the order of writing things to minimize the number of rules needed. Third, determine which rules need to be on which routers. Explicitly consider the direction of flow, and the possible existence of additional paths that could inadvertently bypass a filter.

Can a cisco router be a ``true'' firewall? This depends on the definition of firewall. Some writers (e.g., Gene Spafford in _Practical UNIX Security_) define a firewall as a host on which an ``inside'' and/or an ``outside'' application process run, with application-level code linking the two. For example, a firewall might provide FTP access to the outside world, but it would not also provide direct FTP service to the inside world. To place a file on the FTP external server, a designated user would explicitly log onto the FTP server, transfer a file to the server, and log off. The firewall prevents direct FTP connectivity between the inside and outside networks; only indirect, application-level connectivity is allowed. Firewalls of this sort are complemented by chokes, which filter on network addresses and/or port numbers. Cisco routers cannot do application-level control with access control lists. Other authors do not distinguish between chokes and filters. Using the loose definition that a firewall is anything that selectively blocks access from the inside to the outside, routers can be firewalls. IP Specific

----------Can the ``operand'' field be used with a protocol keyword of IP to filter on protocol ID? No. Operand filtering only works for TCP and UDP port numbers. How can I prevent traffic for a certain Internet application to flow in one direction but not the other? Remember that Internet applications flow from client port to server port. Denying traffic from port 23, for example, blocks flow from the client to the server. +-------------------+ | A----------->| |1 <------------| | | 2| |<----------| |----------->B

+-------------------+

If we deny traffic to Port 23 of address B by placing a filter at interface 2, we have blocked A's ability to telnet to B, but not B's ability to telnet to A. A second filter at interface A would be needed to block telnet in both directions. Assume that we only have the filter at interface 2. Telnets to A from B will not be affected because the filter at 2 does not check incoming traffic. ------With the arrival of in-bound access lists in 9.21, it should be noted that both inbound and access lists are about equally efficient, in case any of you were wondering. It's worth remembering that there are some kinds of problems that packet-filtering firewalls are not best suited for. There's reasonably good information in: Network (in)security through packet filtering"
ftp://ftp.greatcircle.com/pub/firewalls/pkt_filtering.ps.Z

************************************************************************* * From: Question 8 Subject: The cisco boot process

What really happens when a cisco router boots, from boot start to live interfaces? First it boots the ROM os version. It reads the config. Now, it realizes that you want to netboot. It loads the netbooted copy in on top of itself. It then re-initializes the box and rereads the config. Manly, yes, but we like it too....

[[ Ummm... in particular it loads the netbooted copy in as WELL as itself, decompresses it, if necessary, and THEN loads on top of itself. Note that this is important because it tells you what the memory requirements are for netbooting: RAM for ROM image (if it's a run from RAM image), plus dynamic data structures, plus RAM for netbooted image. ]]

The four ways to boot and what happens (sort of): I (from bootstrap mode) The ROM monitor is running. The I command causes the ROM monitor to walk all of the hardware in the bus and reset it with a brute force hammer. If the bits in the config register say to auto-boot, then goto B B (from bootstrap mode)

Load the OS from ROM. If a name is given, tell that image to start silently and then load a new image. If the boot system command is given, then start silently and load a new image. powercycle Does some delay stuff to let the power settle. Goto I. reload (from the EXEC)

Goto I.

************************************************************************* * From: Question 09 Subject: How should I restrict access to my router?

Many admins are concerned about unauthorized access to their routers from malicious people on the Internet; one way to prevent this is to restrict access to your router on the basis of IP address.

Many people do this, however it should be noted that a significant number of network service providers allow unrestricted access to their routers to allow others to debug, examine routes, etc. If you're comfortable doing this, so much the better, and we thank you!

If you wish to restrict access to your router, select a free IP access list (numbered from 1100) -- enter ``sh access-list'' to see those numbers in use. yourrouter#sh access-list Standard IP access list 5 permit 192.94.207.0, wildcard bits 0.0.0.255

Next, enter the IP addresses you wish to allow access to your router from; remember that access lists contain an implicit "deny everything" at the end, so there is no need to include that. In this case, 30 is free:

yourrouter#conf t

Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#access-list 30 permit 172.30.0.0 0.0.255.255 yourrouter(config)#^Z

(This permits all IP addreses in the network 172.30.0.0, i.e. 172.30.*.*). Enter multiple lines for multiple addresses; be sure that you don't restrict the address you may be telnetting to the router from.

Next, examine the output of ``sh line'' for all the vty's (Virtual ttys) that you wish to apply the access list to. In this example, I want lines 2 through 12:

yourrouter#sh line Tty Typ Tx/Rx A Modem Roty AccO AccI Uses 0 7 7 7 7 7 7 7 7 7 0 0/0 1/0 0/0 0/0 0/0 0/0 0/0 0/0 0/0 0/0 0/0 Noise Overruns

0 CTY

1 AUX 9600/9600 * 2 VTY 9600/9600 3 VTY 9600/9600 4 VTY 9600/9600 5 VTY 9600/9600 6 VTY 9600/9600 7 VTY 9600/9600 8 VTY 9600/9600 9 VTY 9600/9600 10 VTY 9600/9600 -

1 3287605 55 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

11 VTY 9600/9600 12 VTY 9600/9600 -

0 0

0 0

0/0 0/0

Apply the access list to the relevant lines:

yourrouter#conf t Enter configuration commands, one per line. End with CNTL/Z. yourrouter(config)#line 2 12 yourrouter(config-line)# access-class 30 in yourrouter(config-line)# ^Z

(This apply access list 30 to lines 2 through 12. It's important to restrict access to the aux port (line 1) if you have a device (such as a CSU/DSU) plugged into it.a)

Be sure to save your configuration with ``copy run start Please note that access lists for incoming telnet connections do NOT cause your router to perform significant CPU work, unlike access lists on interfaces. ************************************************************************* * From: Question 10 Subject: What can I do about source routing?

What *is* source routing?

Soure routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take. Source routing is useful when the default route that a connection will take fails or is suboptimal for some reason, or for network diagnostic purposes. For more information on source routing, see RFC791.

Unfortunately, source routing is often abused by malicious users on the Internet (and elsewhere), and used to make a machine (A), think it is talking to a different machine (B), when it is really talking to a third machine (C). This means that C has control over B's ip address for some purposes.

The proper way to fix this is to configure machine A to ignore source-routed packets where appropriate. This can be done for most unix variants by installing a package such as Wietse Venema, <wietse@wzv.win.tue.nl>,'s tcp_wrapper:
ftp://cert.org:pub/tools/tcp_wrappers

For some operating systems, a kernel patch is required to make this work correctly (notably SunOS 4.1.3). Also, there is an unofficial kernel patch available for SunOS 4.1.3 which turns all source routing off; I'm not sure where this is available, but I believe it was posted to the firewalls list by Brad Powell soimetime in mid-1994.

If disabling source routing on all your clients is not posssible, a last resort is to disable it at your router. This will make you unable to use ``traceroute -g'' or ``telnet @hostname1:hostname2'', both of which use LSRR (Loose Source Record Route, 2 IP options, the first of which is a type of source routing), but may be necessary for some. If so, you can do this with foo-e-0#conf t Enter configuration commands, one per line. End with CNTL/Z. foo-e-0(config)#no ip source-route foo-e-0(config)#^Z

It is somewhat unfortunate that you cannot be selective about this; it disables all forwarding of source-routed packets through the router, for all interfaces, as well as source-routed packets to the router (the last is unfortunate for the purposes of ``traceroute -g''). ************************************************************************* * From: Question 11 Subject: Is there a block of private IP addresses I can use?

In any event, RFC 1918 documents the allocation of the following addresses for use by ``private internets'': 10.0.0.0 172.16.0.0 192.168.0.0 - 10.255.255.255 - 172.31.255.255 - 192.168.255.255

Most importantly, it is vital that nothing using these addresses should ever connect to the global Internet, or have plans to do so. Please read the above RFCs before considering implementing such a policy.

As an additional note, some Internet providers provide network-management services, statistics gathering, etc. It is unlikely (if at all possible) that they would be willing to perform those services if you choose to utilize private address space.

With the increasing popularity and reliability of address translation gateways, this practice is becoming more widely accepted. Cisco has acquired Network Translation, who manufacture such a product. It is now available as the Cisco Private Internet Exchange. With it, you can use any addressing you want on your private internet, and the gateway will insure that the invalid addresses are converted before making out onto the global Internet. It also makes a good

firewall. Information on this product is available at

http://www.cisco.com/warp/public/751/pix/index.html

************************************************************************* * ************************************************************************* * From: Question 12 Subject: How do I interpret the output of ``show version''?

Typing ``show version'' or ``show hardware'' yields a response like:

prospect-gw.near.net>sh version Cisco Internetwork Operating System Software IOS (tm) GS Software (GS7), Experimental Version 10.2(11829) [pst 113]

System-type (imagename) Version major.minor(release.interim)[who] Desc

System-type: type of system the software is designed to run on. imagename: The name of the image. This is different (slightly) for run-from-rom, run-from-flash, and run-from-ram images, and also for subset images which both were and will be more common. "Version": text changes slightly. For example, if an engineer gives you a special version of software to try out a bug fix, this will say

experimental version. Major: Major version number. Changes (in theory) when there have been major feature additions and changes to the softare. Minor: minor version number. Smaller but still signficant feature added. (in reality, cisco is not very sure what the difference between "major" and "minor" is, and sometimes politics gets in the way, but either of these "incrementing" indicates feature additions.) EXCEPT: 9.14, 9.17, and 9.1 are all somewhat similar. 9.1 is the base, 9.14 adds specical feature for low end systems, 9.17 added special features specific the high end (cisco-7000) This was an experiment that we are trying not to repeat. release: increments (1 2 3 4 ...) for each maintenance release of released software. Increments for every compile in some other places. interim: increments on every build of the "release tree", which happens weekly for each release, but is only made into a generically shipping maintenance release every 7 to 8 weeks or so. [who]: who built it. Has "fc 1" or similar for released software. has something like [billw 101] for test software built Bill Westfield (billw@cisco.com). Desc: additional description.

The idea is that the image name and version number UNIQUELY identify

a set of sources and debugging information somewhere back at cisco, should anything go wrong.

Copyright (c) 1986-1995 by cisco Systems, Inc. Compiled Thu 09-Mar-95 23:54 by tli Image text-base: 0x00001000, data-base: 0x00463EB0

Copyright, compilation date (and by whom), as well as the starting address of the image.

ROM: System Bootstrap, Version 5.0(7), RELEASE SOFTWARE ROM: GS Software (GS7), Version 10.0(7), RELEASE SOFTWARE (fc1)

The version of ROM bootstrap software, and the version of IOS in ROM.

prospect-gw.near.net uptime is 2 weeks, 4 days, 18 hours, 38 minutes System restarted by reload

How long the router has been up, and why it restarted.

System image file is "sse-current", booted via flash

How the router was booted.

RP (68040) processor with 16384K bytes of memory.

Type of processor.

G.703/E1 software, Version 1.0. X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. Bridging software. ISDN software, Version 1.0.

Various software options compiled in.

1 Silicon Switch Processor. 2 EIP controllers (8 Ethernet). 2 FSIP controllers (16 Serial). 1 MIP controller (1 T1). 8 Ethernet/IEEE 802.3 interfaces. 16 Serial network interfaces. 128K bytes of non-volatile configuration memory. 4096K bytes of flash memory sized on embedded flash.

Hardware configuration.

Configuration register is 0x102

Lastly, the "configuration register", which may be set via software in current releases...

************************************************************************* * From: Question 13 Subject: When are static routes redistributed?

In the simple case, any static route *in the routing table* is redistributed if the ``redistribute static'' command is used, and some filter (set with either ``route-map'' or ``distribute-list out'') doesn't filter it out.

Whether the static route gets into routing table depends on:

Whether the next hop address is reachable (if you use static route pointing to a next hop) OR Whether the interface is up (if you use static route pointing to an interface).

If one of these is true, an attempt is made to add the route to the routing table; whether that succeeds depends on the administrative distance of the route -- a lower administrative distance (the route is "closer") than a preexisting route will cause the preexisting route to be

overwritten. ************************************************************************* * From: Question 14 Subject: When is the next hop of a route considered ``reachable''?

When a static route is added, or during an important event (eg: interface up/down transition), the next hop for a route is looked up from the routing table (i.e. recursive routing). As a consequence, if a route which is depended upon for evaluation of the next hop of a static route goes away, a mechanism is required to remove that (now-invalid) static route. Scanning all static routes each time the routing table changes is too expensive, so instead, a period timer is used. One a minute, static routes are added and removed from the routing table based on the routes they depend upon. It should be noted that a particular static route will be reevaluated when its interface transitions up or down. ************************************************************************* From: Question 15 Subject: How do name and phone number of ``dialer map'' interfere?

How do name and phone number of `dialer map' interfere?

We use the telephone number first actually. If the caller id matches the telephone number to call, then you don't need the 'name' parameter with a phone number. I realized that the above is ambiguous, so let's do this. You have: dialer map ip x.x.x.x name <param1> <phone-num> <param1> is used for incoming authentication. It can be either the hostname, for PAP and CHAP, or it can be a number as returned by caller id. If this is not there, and it is an imcoming call, and there is caller id, we will compare against <phone-num> to see if that matches. *************************************************************************

* From: Question 16 Subject: What's the purpose of the network command? >* what is the real purpose of the network subcommand of > router commands? When do I not want to include a network > I know about?

The real purpose of the 'network' sub-command of the router commands is to indicate what networks that this router is connected to are to be advertised in the indicated routing protocol or protocol domain. For example, if OSPF and EIGRP are configured, some subnets may be advertised in one and some in the other. The network command enables one to do this.

An example of such a case is a secure subnet. Imagine the case where a set of subnets are permitted to communicate within a campus, but one of the buildings is intended to be inaccessible from the outside. By placing the secure subnet in its own network number and not advertising the number, the subnet is enabled to communicate with other subnets on the same router, but is unreachable from any other router, barring static routes. This can be extended by using a different routing protocol or routing protocol domain for the secure network; subnets on the various routers within the secure domain are mutually reachable, and routes from the non-secure domain may be leaked into the secure domain, but the secure domain is invisible to the outside world.

************************************************************************* * From: Question 17 Subject: What is VLSM?

A Variable Length Subnet Mask (VLSM) is a means of allocating IP addressing resources to subnets according to their individual need rather than some general network-wide rule.

Of the IP routing protocols supported by Cisco, OSPF, Dual IS-IS, BGP-4, and EIGRP support "classless" or VLSM routes.

Historically, EGP depended on the IP address class definitions, and actually exchanged network numbers (8, 16, or 24 bit fields) rather than IP addresses (32 bit numbers); RIP and IGRP exchanged network and subnet numbers in 32 bit fields, the distinction between network number, subnet number, and host number being a matter of convention and not exchanged inthe routing protocols. More recent protocols (see VLSM) carry either a prefix length (number of contiguous bits in the address) or subnet mask with each address, indicating what portion of the 32 bit field is the address being routed on.

A simple example of a network using variable length subnet masks is found in Cisco engineering. There are several switches in the engineering buildings, configured with FDDI and Ethernet interfaces and numbered in order to support 62 hosts on each switched subnet; in actuality, perhaps 15-30 hosts (printers, workstations, disk servers) are physically attached to each. However, many engineers also have ISDN or Frame Relay links to home, and a small subnet there. These home offices typically have a router or two and an X terminal or workstation; they may have a PC or Macintosh as well. As such, they are usually configured to support 6 hosts, and a few are configured for 14. The point to point links are generally unnumbered.

Using "one size fits all" addressing schemes, such as are found in RIP or IGRP, the home offices would have to be configured to support 62 hosts each; using numbers on the point to point links would further compound the address bloat.

One configures the router for Variable Length Subnet Masking by configuring the router to use a protocol (such as OSPF or EIGRP) that supports this, and configuring the subnet masks of the various interfaces in the 'ip address' interface sub-command. To use supernets, one must further configure the use of 'ip classless' routes. ************************************************************************* * From: Question 18

Subject: What are some methods for conserving IP addresses for serial lines?

VLSM and unnumbered point to point interfaces are the obvious ways. The 'ip unnumbered' subcommand indicates another interface or sub-interface whose address is used as the IP source address on messages that the router originates on the unnumbered interface, such as telnet or routing messages. By doing this, the router is reachable for management purposes (via the address of the one numbered interface) but consumes no IP addresses at all for its unnumbered links. ************************************************************************* * From: Question 19 Subject: Flash upgrade issues for Cisco 2500 series routers

> When I remove the original flash and replace it with ether one or both of > the new flash chips, I get the following error on boot upand the router ends > up in boot mode.: > ERR: Invalid chip id 0x80B5 (reversed = 0x1AD ) detected in System flash

This has to be the most common FAQ for this group. You have non-Intel flash chips on your new SIMMs and boot ROMs that are too old to know about the different access method for the flash chips you have. You need to either get the (free, call TAC) BOOT-2500= ROM upgrade from Cisco, or exchange the flash SIMMs for ones using Intel chips. Note that Intel no longer makes those chips, which is why everybody has this prob-lem. ************************************************************************* * From: Question 21

Subject: How do I configure a router to act as a Frame-Relay Switch?

config t 1 frame-relay switching ! interface Serial0 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce ! In the config below, the 102 is the DLCI that will be ! presented to the router connected to this - S0 ! interface. 201 is the DLCI that is mapped to S1 frame-relay route 102 interface Serial1 201 frame-relay route 103 interface Serial2 301

interface Serial1 no ip address no keepalive encapsulation frame-relay

clockrate 64000 frame-relay intf-type dce frame-relay route 201 interface Serial0 102 frame-relay route 203 interface Serial2 302

interface Serial2 no ip address no keepalive encapsulation frame-relay clockrate 64000 frame-relay intf-type dce frame-relay route 301 interface Serial0 103 frame-relay route 302 interface Serial1 203

________

______

| FR SW |_S2______S0_| R3 | |_______ | S0 / / / S0 __/___ | R1 | \ \ _\_S0__ | R2 | \ S1 |______|

|_____|

|_______|

R1 S0, R2 S0 and R3 S0 will be on the same subnet. You can treat it as p2mp. I put all the DCE ends of the cables on the Frame Switch, so clock rate is defined there. However, this is not a requirement. The FR Switch router does not need to have the DCE end. Regardless of the gender of the cable, however, the "frame-relay intf-type dce" is required. I defined the DLCIs as Source Router + 0 + Destination Router. So if the circuit goes from R1 to R3 it's DLCI 103. From R3 to R1 it's DLCI 301. ************************************************************************* * From: Question 22 Subject: What are the different types of memory used by Cisco Routers?

The 2500 Series and 7204 VXR have the same types of memory, but they are implemented in different physical packages:

ROMMON - This is the initial bootstrap for the router. Boot Helper - This is a subset of IOS that is used to update software or network boot. The 2500 implements the ROMMON and boot helper in a set of two ROMs. The 7204VXR has ROMMON in a ROM and boot helper in a piece of flash memory on the I/O controller called boot flash.

Main memory - This is used to hold routing tables, and IOS variables. In the 7204 VXR, IOS itself is also resident in main memory. The 2500 Series usually runs the IOS directly in flash.

Shared memory - This is the memory that holds packet buffers. On the 2500 Series, this is part of the same physical memory as main memory. On the 7204 VXR, it's separate memory.

Flash memory - This memory holds the IOS image. On the 2500 Series, there are two flash SIMM sockets (max 16 MB). On the 7204VXR, there are PCMCIA slots on the I/O controller which can take a 128 MB flash disk.

Configuration memory (NVRAM) - This is the memory that holds the IOS configuration. In the 2500 Series, it's a 32 KB EEPROM. On the 7204VXR it is 128 KB battery backed up SRAM on the I/O controller. ************************************************************************* * From: Question 23 Subject: How do I load the Documentation CD (UniverseCD) on Windows 2000?

Doc CD Content appears garbled: The Doc CD content is compressed - it requires Verity to decompress it. This is why Verity is used on the Doc CD. What has happened is you've tried to directly open up index.html off the CD into your browser, and this is not possible todo. The CD must be accessed through the Verity Web Publisher through:
http://127.0.0.1:8080/home/home.htm

This is the startup address that is launched when you click on "Launch CD."

Windows 2000 and Doc CD: Pre-July 2000 Documentation CDs do not work on Windows 2000 out of the box. They will cause "Search.exe" to crash when run under Win2k. There is a fix that sometimes works for these CDs at:
http://www.cisco.com/warp/public/620/ioscd.html.

This fix MUST be done BEFORE you install the CD. If the CD has already been installed, then uninstall it, delete c:\cisco, make this registry change, then re-install the Doc CD.(both the Browser Software Installer and The Documentation CD

(I have tried this on My labtop which is running windows 2000 and it worked fine but I had to delete c:\Cisco first and Lunch the Browers software Installer CD (1) first then the Document CD(2) (my version of CD was Nov 1999)

(I have already sent this one to you did you delete c:\Cisco and lunch both CDs) Other fixs are shown The Doc CD starts up to about:blank There are two alternate fixes for this: 1. After launching the Doc CD, put in http://127.0.0.1:8080/home/home.htm for the address, and then add it to your favorites. or 2. This is a 4-step fix: A. Ensure that search.exe is not running. B. Edit the installed search.ini (c:\CISCO\search.ini). C. Change the line 'Browser=c:\program files\internet explorer\iexplore.exe' to 'Browser=msie' D. Launch the CD.

Nothing happens when I click Launch CD The usual cause for this is that you've installed a post-July 2000 Documentation CD over the top of a previous Doc CD. The fix for this is to:

1. Uninstall the Doc CD from the control panel->add/remove programs. 2. Delete c:\cisco 3. Reinstall the Doc CD.

Finally to reorder a CD The Cisco Documentation CD is also available online at:

http://www.cisco.com/univercd/home/home.htm

************************************************************************* * From: Question 24 Subject: How dow I load a large image on a 2500 *lab* router? For production work (support by Cisco required) you need 16M Flash to run 12.0 or 12.1 Enterprise. If you don't need Cisco support, 12.0 Enterprise is small enough (about 10M) to run from RAM (upgrading to 16M of RAM is MUCH cheaper than upgrading to 16M of flash) using a compressed image in the 8M of flash you do have.

12.1 Enterprise is 14M so it must be run from flash (otherwise there is not enough RAM remaining to even complete loading of the OS).

Check the release notes on www.cisco.com for the IOS release you want to use. If the actual size of the IOS plus the minimum recommended RAM totals less than 16MB, you can run compressed or boot from TFTP without expanding flash. Check deja-news on google if you are unclear on how to run a compressed image on the 2500, it is a frequent request and hopefully will turn up in the renovated FAQ when Hansang gets a chance to publish it. ************************************************************************* * From: Question 25

Subject: daisy-chaining reverse telnet console-aux ports

> I've hooked 4 routers together in a lab and I'm daisy-chaining them > aux --> console and using reverse telnet to get to them... > > However when I get to the fourth router and do a CTRL-SHFT-6 X, > I get back to the first router. If I kill the AUX line, then initiate the > reverse telnet again, I fall through router 2 and 3 to 4 again... > Is there an easy way to fall back one router at a time? > or should I not bother to do this?

You have two options. One is to use a different escape character on the second (third, fourth etc) console (and/or vty)

conf t line con 0 /* or vyt 0 4 */ escape-character 23

This will let you use CTRL-W then X to break out reverse telnet.

Or

You can use CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the second

session, and CTRL-SHFT-6, CTRL-SHFT-6, CTRL-SHFT-6, X to come back to the third session, etc. ************************************************************************* * From: Question 26 Subject: How do I setup Lock & Key ACL? Or punch temporary holes in my ACL if someone authenticates to my router?

username foobar password cisco ! int s0 ip address 1.1.1.1 255.255.0.0 ip access-group 101 in ! /* or port 22 for ssh */

access-list 101 permit tcp any host 1.1.1.1 eq telnet access-list 101 dynamic foobar permit ip any any ! line vty 0 2 login local autocommand access-enable host timeout 5 line vty 3 4 login local rotary 1

The first access list allows telnet into the router. Your users will telnet into router and authenticate with username foobar and password "cisco"

The router will then immediately disconnect the telnet session. When they successfully authenticate, an access list with their source IP will be added to the dynamic list. Basically, if they authenticate correctly, they can come in to the inside network. After 5 mins of inactivty the entry will be deleted from the access list.

The vty 3 and 4 are using the rotary command so that you can telnet to your router with the command: "telnet 1.1.1.1 3001" This takes you to vty 3 (or 4). This way, you can telnet into the router and actually manage it. A very subtle but VERY important point. If you forget this, you'll be making a trip to use the console port. ************************************************************************* From: Question 27 Subject: How do I telnet to a specific VTY line?

See "rotary" example in question 48. ************************************************************************* * From: Question 28 Subject: Is there a better (free) tftp server than the one by Cisco?

3CDv2r10.zip file located at:

http://support.3com.com/software/utilities_for_windows_32_bit.htm

************************************************************************* *

From: Question 28 Subject: How do I NAT on a single Cisco 2503 Ethernet interface

interface Loopback0 ip address 10.0.255.1 255.255.255.0 ip nat inside ! interface Ethernet0 ip address 10.0.0.1 255.255.255.0 secondary ip address xxx.yyy.zzz.ttt 255.255.255.248 ip nat outside ip policy route-map LOOPNAT ! ip nat inside source list 1 interface Ethernet0 overload ! access-list 1 permit 10.0.0.0 0.255.255.255 ! route-map LOOPNAT permit 10 match ip address 1 set interface Loopback0 ! ------------------------

Note that Lo0 interface may have any ip address. ************************************************************************* * From: Question 29 Subject: How do I hide a summarized OSPF router from one ABR to another?

area 1 range x.x.x.x x.x.x.x not-advertise ************************************************************************* * From: Question 30 Subject: How do I setup Windows 2000 and IPSec to PIX FIrewall

To describe how to use the Local Security Policy MMC in W2K would take a long time. So, the config I will share with you is the 'dial-up' one I mentioned before. In this posting I will detail the bare minimum needed to get a W2K client working with a PIX firewall running v6.01 software. For simplicity I use a preshared key for authentication. Since I have to embed this key into the script I use it makes the configuration open and thus vulnerable. However, you should be able to tweak the configuration from this to meet your own security needs. The W2K IPSec client supports certificates as well as preshared keys so a "secure" version of this config is attainable.

The configuration script I eked (it isn't beautiful code) out is actually written in Perl. If you

would like to re-write it in the old DOS batch file format, please do so. Otherwise, you should find a copy of Perl for NT/W2K. I use the version found at http://www.activestate.com. The Perl script I show here is documented as to what it does. The MS ipsecpol.exe program that you have to use has it's own documentation which you should read. For the PIX I give you only the crypto, isakmp, and sysopt commands you need to issue to your PIX to make this config work. The config assumes that the PIX has NAT enabled.

Ok, enough blabber, here it is... I hope it is helpful!

For the purposes of this 'demo' config. The PIX Firewall will have 192.168.0.1 as it's outside IP. The inside network will be the 10.0.X.X network. The inside router will be 10.0.0.1

Quick Network Schematic:

[W2K] --> [Dial-Up WAN adapter (DHCP assigned address)] ---> [Internet]---->[PIX Firewall(192.168.0.1)] ---> [Internal LAN (10.0.X.X)] --> [Inside Router (10.0.0.1)]

The PIX firewall commands needed are:

sysopt connection permit-ipsec sysopt connection permit-l2tp sysopt ipsec pl-compatible

crypto ipsec transform-set W2K esp-des esp-md5-hmac crypto ipsec transform-set W2K mode transport crypto dynamic-map W2KDynamic 11 set transform-set W2K crypto map W2K-Map 23 ipsec-isakmp dynamic W2KDynamic crypto map W2K-Map interface outside

isakmp identity address isakmp key gobbeldygook address 0.0.0.0 netmask 0.0.0.0 isakmp policy 11 authentication pre-share isakmp policy 11 encryption des isakmp policy 11 hash md5 isakmp policy 11 group 1 isakmp policy 11 lifetime 28800 isakmp enable outside

The Perl script I wrote is as follows. I execute this script everytime I establish a connection with my dial-up ISP. It then sets up the IPSec tunnel using my current ISP assigned IP Address.

#begin listing

# IPSecInit.pl # Written by: Steven Griffin Jr. # Date: 6 June, 2001.

# Note: The basis of this code came from the PERL documentation site. # The original snippets came from the links below. # http://www.perldoc.com/perl5.6/lib/Net/hostent.html # http://www.perldoc.com/perl5.6/lib/Net/Ping.html # I should put this in POD format at somepoint but I am in a hurry right now.

use Net::hostent; use Socket;

#Two Variables: One for the local IP Address and one for the VPN Server #This script assumes that the VPN Server has a static IP

$localipaddress, $VPNHostIP='192.168.0.1';

#The following section of code discerns the IP address of host provided #in the command line arguements. The default is the localhost. #NOTE: The code section is smart and gives you a routable IP (if available)

and not just 127.0.0.1 # This section is pretty much identical to the one found on the PERL documentation site. # I just added an assignment of the discerned ipaddress to the $localipaddress variable. # I also changed the @ARGV assignment to 'localhost' instead of 'netscape.com'

@ARGV = ('localhost') unless @ARGV; for $host ( @ARGV ) { unless ($h = gethost($host)) { warn "$0: no such host: $host\n"; next; } printf "\n%s is %s%s\n", $host, lc($h->name) eq lc($host) ? "" : "*really* ", $h->name; print "\taliases are ", join(", ", @{$h->aliases}), "\n" if @{$h->aliases}; if ( @{$h->addr_list} > 1 ) { my $i;

for $addr ( @{$h->addr_list} ) { printf "\taddr #%d is [%s]\n", $i++, inet_ntoa($addr); } } else { #my modification is on the next line. printf "\taddress is [%s]\n", $localipaddress= inet_ntoa($h->addr); } if ($h = gethostbyaddr($h->addr)) {

if (lc($h->name) ne lc($host)) { printf "\tThat addr reverses to host %s!\n", $h->name; $host = $h->name; redo; } } }

#This next section is a very modified version of the Ping example on the Perl Documentation Website.

#Now that we know our IP address, we can setup the IPSec tunnel. #First we try and ping our VPN server.

use Net::Ping; $p = Net::Ping->new("icmp"); print "\nCan I see my firewall? "; if ($p->ping($VPNHostIP) ) { print "Yes\nAttempting to initialize IPSec Connection";

#Now that we can see our server, lets stop and start the W2K IPSec Policy Agent. #This deletes any 'dynamic' IPSec policies that may have been in effect before. print "\nResetting IPSec Policy Agent"; $cmdstring='Net Stop "IPSec Policy Agent"'; system($cmdstring); $cmdstring='Net Start "IPSec Policy Agent"'; system($cmdstring);

#Now we issue the ipsecpol command to setup the tunnel to our VPN Server. #The ipsecpol command line utility can be found on Microsoft's Website. # http://www.microsoft.com/downloads/release.asp?ReleaseID=29167 # or #

http://download.microsoft.com/download/win2000platform/ipsecpol/1.00.0.0/NT5

/EN-US/ipsecpol_setup.exe

#MS requires two ipsecpol commands be issued in order to setup a tunnel. #One for the inbound traffic and one for the outbound traffic. # For this Tunnel I used the following settings: # The IPSec filter '-f' is for the 10.0.0.0 255.255.0.0 network to My IP Address. # The tunnel setting '-t' is either My IP Address or the VPN Server's IP Address. # The security method list '-s' is for DES-MD5-1 # The security negotiation setting '-n' is for ESP[DES,MD5] # We are using QuickMode key exchange '-1k' rekeys after 10 quick modes '10q' # We are using perfect forward secrecy '-1p' # For authentication we are using a preshared key '-a' # NOTE: the preshared key must be enclosed in double quotes

# See the documentation of the utility for further details. print "\nSetup IPSec Tunnel";

#This sets-up the inbound leg of the tunnel. We are filtering all traffic inbound from 10.0.X.X to our IP address.

#The critical part of this statement is that the -t arguement must contain our local IP. $cmdstring = 'ipsecpol -f 10.0.*.*='.$localipaddress.' -t '.$localipaddress.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a PRESHARE:"gobbeldygook"'; printf "\n%s",$cmdstring; system($cmdstring);

#This sets-up the outbound leg of the tunnel. We are filtering all traffic outbound to 10.0.X.X from our IP address. #The critical part of this statement is that the -t arguement must contain the VPN Server's IP Address. $cmdstring = 'ipsecpol -f '.$localipaddress.'=10.0.*.* -t '.$VPNHostIP.' -1s DES-MD5-1 -n ESP[DES,MD5] -1k 10q -1p -a PRESHARE:"gobbeldygook"'; printf "\n%s\n",$cmdstring; system($cmdstring);

#Now that we have issued our commands. We should test the network and see if we can see inside it. #The internal router is the easiest target. Here it is 10.0.0.1.

#We first do a ping just so that the IPSec tunnel with negotiate. W2K does not setup the tunnel # until you actually try and send traffic to a IPSec filtered IP address. #Now we do another ping and tell the user what happened. print "\nTrying to ping internal network: "; $p->ping("10.0.0.1"); if ($p->ping("10.0.0.1")) { print "Success\n"; sleep(1); } else { print "Failure\n"; sleep(1); } } else { # If we reach this point, we could not see our VPN Server's external IP address from our ISP. print "No\nTry redialing your ISP"; sleep(3); } $p->close(); #end listing *************************************************************************

* From: Question 32 Subject: How do I use tftpdnld via Ethernet port on a 2600?

Press Ctrl+Break on the terminal keyboard within 60 seconds of the power-up to put the router into ROMMON.

rommon 1 > IP_ADDRESS=172.15.19.11 rommon 2 > IP_SUBNET_MASK=255.255.255.0 rommon 3 > DEFAULT_GATEWAY=172.16.19.1 rommon 4 > TFTP_SERVER=172.15.20.10 rommon 5 > TFTP_FILE=/tftpboot/c2600-i-mz rommon 6 > tftpdnld ************************************************************************* * From: Question 33 Subject: How do I setup MultiLinkPPP?

multilink PPP without virtual template

int Multilink1 description multilink bundle ip unnumbered Loopback0

ppp multilink multilink-group 1 ! int Ser0 description first T1 line encaps ppp ppp multi multilink-group 1 ! int Ser1 description second T1 line encaps ppp ppp multi multilink-group 1

Again, recent software necessary: at least 12.0T or 12.1 or one of the ISP branches (12.0S). ************************************************************************* * From: Question 34 Subject: How much memory is taken up by BGP routes?

As a reference, please see the following from

http://www.cisco.com/warp/public/459/

I'd like to drill down another level to decide why each entry contains 240 bytes! Tech Tip: How Much Memory Does Each BGP Route Consume?

Each Border Gateway Protocol (BGP) entry takes about 240 bytes of memory in the BGP table and another 240 bytes in the IP routing table. Each BGP path takes about 110 bytes.

************************************************************************* * From: Question 35 Subject: How do I stop my router from looking for cisconet.cfg or network-config?

Look up "service config" in the manual (available on www.cisco.com if you do not have a local copy). Turn it off using the command "no service config" in configuration mode. ************************************************************************* * From: Question 36 Subject: How do I setup DHCP service on my router?

Here is my 1601 performing as a DHCP server config... The static pool is how I use DHCP to assign the same IP to the same PCeach time, essentially a static IP address assignment. The only other requirement would be that on the

interface DHCP requests will be received, if you have an inbound ACL, bootp must be permitted.

ip dhcp excluded-address 192.168.3.1 192.168.3.9 ! ip dhcp pool dhcp-pool network 192.168.3.0 255.255.255.0 default-router 192.168.3.1 netbios-node-type b-node dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee ! ip dhcp pool static-pool host 192.168.3.2 255.255.255.0 client-identifier 0100.00c5.0cbd.7e client-name main_pc default-router 192.168.3.1 dns-server aaa.bbb.ccc.ddd aaa.bbb.ccc.eee

************************************************************************* * From: Question 37 Subject: How do I configure a trasparent proxy redirecting on CISCO router?

>It is possible to configure an trasparent proxy redirecting on CISCO router? >I would like to redirect all www requests from specific IP addresses to >other IP address and other port.

A route-map does the IP redirection nicely, I've used it for http and smtp. Not sure about switching ports simultaneously with the same route map, but you could fix this with 'ipfw' or similar on the host. Be sure you have 'ip route-cache policy' enabled to save CPU on the interface. WCCP is another option.
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.5

************************************************************************* * From: Question 38 Subject: How do I use a route-map to limit redistribution in OSPF? ! /* match only 172.16.10.x and 172.16.11.0 subnets */ ! access-list 1 permit 172.16.10.0 0.0.1.255 ! ! ! /* use access-list 1 to determine what gets matched */ ! route-map LoopbacksOnly permit 10 match ip address 1 ! !

! /* redistribute connected networks, any and all subnets, */ ! /* and seed it as E2 type. Note that throughout your */ */

! /* OSPF domain, your loopbacks will have a metric of 20 ! /* 20 is the default metric when you redistribute into */

! /* OSPF. Except for BGP routes which get a metric of 1. */ ! /* Also use the route-map LoopbacksOnly to selectively ! /* redistribute only the ones we want to redistribute. ! router ospf 200 redistribute connected subnets metric-type E2 route-map LooopbacksOnly ************************************************************************* * From: Question 39 Subject: How do I connect 675 DSL units back to back? Well I found out that you can hookup other DSL boxes back to back...here is part of an email I found on it: */ */

you need: 'dsl equipment-type CO' on one side and 'dsl equipment-type CPE' on the other

Here is a working example from the lab:

(The distance limitation should be the same as the one found in the docs)

also, you can run 'debug dsl-phy' a new command to look at the trainup.

(CO side, an 828)

! interface ATM0 no ip address no atm ilmi-keepalive dsl equipment-type CO dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO ! interface ATM0.1 point-to-point ip address 1.1.1.2 255.255.255.0 pvc 1/33 encapsulation aal5snap ! !

(CPE side, a SOHO78)

! interface ATM0 no ip address no atm ilmi-keepalive dsl equipment-type CPE dsl operating-mode GSHDSL symmetric annex A dsl linerate AUTO ! interface ATM0.1 point-to-point ip address 1.1.1.1 255.255.255.0 pvc 1/33 encapsulation aal5snap ! ************************************************************************* * From: Question 40 Subject: Why can't I upload an IOS image on to my flash on my 2500 router?

> i took one from another 2500, same label E28F008SA and unfortunalely, > same ERROR MESSAGE while issuing COPY TFTP FLASH from config-reg

> 0x2101

The flash in your system is not recognized by the boot ROM. You can upgrade your boot ROM (Cisco part BOOT-2500=) or use flash that is compatible (Intel). ************************************************************************* * From: Question 41 Subject: How do I configure my router so it becomes a DHCP CLIENT?

If you have 12.1(2)T or better and you need: C800, C100x, C1400, C160x, C17x0, C25xx, C26xx, C36xx, C4x00, C64xx, C7x00, C8500, and C12000

UBR900, UBR7200 MC3810 The interface command is "ip address dhcp" ************************************************************************* * From: Question 42 Subject: How do you setup a simple Priority Queuing?

I would take a look at priority queuing, see the link below:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr

/qos_c/qcprt2/qcdpq.htm

A simple config for your case would be:

priority-list 1 protocol ip high tcp telnet priority-list 1 default medium

interface Ethernet1 ip address 10.1.1.1 255.0.0.0 no ip directed-broadcast priority-group 1 ************************************************************************* * From: Question 43 Subject: What are the pro's and con's of using two ISP/BGP providers?

>Why would you use BGP with 2 Internet T1 vs using equal cost >static routing? What's the pros and cons? Thank you.

The answer in a nutshell is: It depends.

If each T1 goes to a different ISP, then you must use BGP to have the same public address

regardless of route taken.

If each T1 goes to the same ISP and load sharing and ease of setup/management is more important than availability, then go with static routes.

If the T1 links do not support end-to-end keepalives, go with BGP to avoid black holes.

If the T1 links go to different POPs of the same ISP, use BGP and indicator routes to detect ISP segmentation.

If the T1 links go to geographically diverse POPs, then BGP with full or local routes may improve routing efficiency.

For more detail, see the blurb

http://www.oreillynet.com/pub/a/network/2001/05/11/multihoming.html

(for those reading this out of the archives at a future date, a more detailed version of this paper will be appearing as a White Paper on my web site, but it will not be there until late Summer). Chapter 8 of my book walks you through all the alternatives from two T1s between a single router at your site and a single router at the ISP, to two T1's between separate routers at your site to two different ISPs. For how to get the most out of BGP, including load sharing and efficiency considerations (my book only considers availability), read Halabi's book.

If none of the above makes sense to you, hire a competent consultant to walk you through the alternatives and their tradeoffs.

***** The O'Reilly article follows: *****

by Vincent Jones 05/11/2001

Many organizations depend upon Internet connectivity to support critical applications. One popular approach for improving Internet connectivity is to connect to more than one Internet service provider (ISP), a technique called multi-homing.

Multi-homing can be very effective for ensuring continuous connectivity -- eliminating the ISP as a single point of failure -- and it can be cost effective as well. However, your multihoming strategy must be carefully planned to ensure that you actually improve connectivity for your company, not degrade it.

THE CONCEPT OF PHYSICAL DIVERSITY First, I want to discuss the network components that can affect overall connectivity. Because most network failures are due to problems in the WAN links, it does little good to connect to a second ISP if both ISP links are carried over the same communications circuit. Even if independent circuits are used -- if they are not physically diverse they will still be subject to common failure events such as construction work inside your building or digging in the street outside.

Providing complete physical diversity can be difficult and expensive, but the requirement is not limited to ISP connections. All critical network links for internal communications should also be diversified. Assuming an otherwise well- designed internal network, the easiest way to achieve physical diversity in your ISP connections is to connect from two different locations that are already well-connected to each other. But they must be far enough apart that they don't share any common communications facilities to either ISP.

REDIRECTING TRAFFIC USING THE BORDER GATEWAY PROTOCOL Once physical connectivity is in place, you need to make it useful. Taking advantage of redundant links requires two conditions to always be present. First, you must be able to detect when a link has failed. Second, you must have a mechanism for redirecting traffic that would normally flow across a failed link to take a different path that is still functional.

In a multi-homing environment, both tasks are normally achieved by running Border Gateway Protocol (BGP) between your routers and those of the ISPs.

BGP is often assumed to mean complex configurations on expensive, high-end routers to handle the huge routing tables required to fully describe the Internet. However, depending upon the specific application requirements and the degree of load-balancing you want across all available links, it may be practical to implement multi-homing using the smallest routers you have available that are capable of handling the traffic load.

In other words, implementing multi-homing doesn't have to be an all-or-nothing choice. There are choices you can make along the way based upon the equipment you have available and the level of connectivity you need to provide.

DETERMINING LEVEL OF CONNECTIVITY REQUIRED At one extreme, when your goal is to simply to provide internal users with access to the Internet, you don't need to run BGP at all. As long as the link layer protocol supports the exchange of keep-alive messages from router to router, link failure will be detected by the link layer protocol. Floating static routes can then reliably direct all outbound traffic to a working ISP link.

Network Address Translation (NAT) is then used to send outbound packets with a source IP address associated by the ISP with that outbound link. Return traffic will automatically come back via the same working link because that link is the only link servicing that address range.

Of course this approach will not work if you are providing services to the outside world, as the addresses associated with the failed link will disappear. Similarly, connections that were

established over the link that failed will need to be reconnected. However, for many applications this impact is minor.

For example, a typical web surfer would merely need to hit the "page refresh" button. This approach is also sufficient to provide high-availability virtual private networks (VPN) across the Internet if you use a routing protocol such as OSPF to detect and route around failed IPSec tunnels.

The other extreme would be when you need to support a common IP address range using both ISPs. Then you need to run BGP. This will normally be the case any time your applications include providing services to Internet users, such as access to a common database. You will need to arrange for both ISPs to accept your BGP advertisements of your IP address prefixes. Then your ISPs need to advertise those address prefixes to the rest of the Internet.

Getting your address prefixes advertised is usually not a problem. You do, however, have to use care in your configuration to ensure that you do not inadvertently advertise any other address prefixes. In particular, you must ensure that you do not advertise yourself as a path between the two ISPs. This could cause your links to be consumed by transit traffic of no interest to you. More challenging is setting up your advertisements so that incoming traffic is reasonably balanced between the ISP links. Achieving that can be difficult at best, and nearly impossible at worse.

CHOOSE THE RIGHT ROUTE FOR YOU The final decision is determining which routes to accept from each ISP. This can range from merely accepting a default route (used to detect if the link is up or down) to accepting all routes (so called "running defaultless"). The former is usually insufficient, because it does not protect you from an ISP which has an internal failure cutting them off from the rest of the Internet. The latter requires using "carrier-class" routers with lots of memory installed (and therefore more expensive). Fortunately, there are some "in-between" choices.

Rather than using a simple default route, you can use a conditional default

route to protect against ISP failure behind the ISP's router that serves you. A conditional default route is a default route that is defined by a router only if a specific address is already in that router's routing table. Each ISP is only used for a default route if it is advertising one or more routes that indicate it is receiving advertisements from the rest of the Internet. That way, you will always use a default route which promises to be useful.

Another option is to have the ISP send you just its local routes. That way, you can optimize your outbound routing to avoid sending packets that could be locally delivered to the wrong ISP, adding to delivery delays. Care must be taken when using this option, however, because some ISPs have so many local routes that there is no cost benefit in the size of the routers required to handle them compared to running defaultless.

Options can also be combined. In many cases, taking local routes and a conditional default route will provide all the availability benefits of running defaultless, while still allowing the use of low-cost routers. As is always the case in networking, a good understanding of the requirements and the available capabilities is essential to maximizing cost-effectiveness. ************************************************************************* * From: Question 44 Subject: What kind of memory can I use to upgrade my 2500 series router?

The RAM is standard 72-pin parity 70ns FPM w/ tin leads, while the flash is the generic Cisco flash. If you have older boot ROMs, you'll want to make sure you get Intel chips or the ROMs won't recognize them. Or you could upgrade the ROMs - Cisco part number BOOT-2500=, allegedly free.

> Any suggestions for a decent memory supplier for this?

I used to use Kingston when I had 25xx's. But MemoryX seems to be less expensive these days: (http://www.memoryx.net/routers.html)

************************************************************************* * From: Question 45 Subject: Where can I get mzmaker to compress my IOS?

http://www.mcseco-op.com/mzmaker.htm

************************************************************************* * From: Question 46 Subject: What is the meaning of in/out in reference to an access-list?

>Can anyone point me to a good description of the difference between "in" >and "out" in applying an access list to an interface? Even the good >books seem to only devote a sentence to the difference between them.

The simplest explanition I've seen is: Crawl into your router and look towards the interface. If the packets are going away from you they're outbound. If they're hitting you in the forehead their inbound. ************************************************************************* * From: Question 47 Subject: How do I remove the /32 - host - route when a PPP link comes up?

To get rid of this host route, try the following command on both ends of the

link:

no peer neighbor-route ************************************************************************* * From: Question 48 Subject: How do I forward DHCP broadcasts to my DHCP server?

> We are a Canadian company with an American office. We have a Cisco router > at each office connected via a T1 line. We have a DHCP server at our > Canadian office, and we would like it to also delgate IPs to our american > office. Is this possible? If so, what must be done?

You have some choices.

1) Run DHCP on the remote router. This will prevent the dhcp requests from coming across the WAN. The downside is that only certain IOSes support running dhcp and is a bit more work for the router.

2) You can enable bootp forwarding or dhcp relaying. This can be accomplished by using "ip helper-address DHCP_SERVER_IP_HERE" interface command. But using helperaddress turns on a lot of unnecessary UDP forwarding so you need to lock it down first.

So:

conf t no ip forward-protocol udp tftp no ip forward-protocol udp dns no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ip forward-protocol udp bootpc ! interface ethernet0/0 ip helper-address YOUR_REMOTE_DHCP_SERVER_IP_HERE ************************************************************************* * From: Question 49 Subject: How do I send L2 traffic through a tunnel? > Thanks for answering my post, the current problem I have is I need to send > Layer2 type traffic through a tunnel ... is this possible ?

Sure. See...

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/inter_c

/icdlogin.htm#xtocid292793

> I enabled bridging on both routers and created a bridge group and that > seems to work fine I can see my netbeui traffic passing .... > The problem is I have to be able to encapsulate netbeui or any other Layer2 > type protocol and encapsulate within a IP packet.

The usual way to do this is using a GRE tunnel between two routers, and configuring an additional loopback interface on each router as the source interface for the tunnel traffic, as below. Here, each router has a bridge group defined which allows certain traffic only as stated in the 200-series ACL onto the loopback interface. In this case it's LAT only - you will need to check the LSAP protocol number(s) for netbios/netbeui as I can't remember these off-hand. Once the traffic is forwarded from the LAN interface onto the loopback, it is encapsulated into IP GRE and forwarded to the far router. -------------------------/ Tunnel0| | | \ |Tunnel0

LAN--------Router A-------WAN Cloud-------Router B--------LAN Eth0 Ser0 Ser0 Eth0

Router A -------int e0

ip address 192.168.100.254 255.255.255.0 bridge-group 1

int loop0 no ip address bridge-group 1 bridge-group 1 output-type-list 200

int tunnel 0 tunnel source interface loopback0 tunnel destination 192.168.200.254

access-list 200 permit 0x6000 0x600f

Router B --------

int e0 ip address 192.168.200.254 255.255.255.0 bridge-group 1

int loop0

no ip address bridge-group 1 bridge-group 1 output-type-list 200

int tunnel0 tunnel source interface loopback0 tunnel destination 192.168.100.254

access-list 200 permit 0x6000 0x600f ************************************************************************* * From: Question 50 Subject: Why is measuring collisions meaningless endeavour?

> A more useful calculation would be to multiply collisions by > 704 and then divide that by 10000000 * t, to show the total overhead > percentage used by collision detection. 704 is the number of > bit-times consumed by a collision - 96 bittimes of interframe gap, > 512 bits of collision, an additional 96 bittimes of interframe gap, > next packet is ready to transmit.

First of all, you shouldn't count the interframe gap twice. The collision event uses an interframe gap, but the next one actually belongs to the next frame; it would be there whether or not a collision occured.

More important, 511 bit times is the MAXIMUM time consumed by a collision in the absolute worst-case. This requires a network with maximum extent--longest possible cables, maximum repeaters, etc.--and devices with absolute worst-case timing parameters. In most small networks (e.g., a single 10BASE-T hub), nearly all collisions occur during the preamble, and the time consumed by the collision is just 96+64+32=192 bit-times (IFG+Preamble+Jam).

Unless you know the precise instant in which each collision occurs, you cannot calculate the bandwidth "lost" to collisions.

(By the way, the maximum collision fragment is 511 bits, not 512--at 512 bits, it becomes a valid frame.)

In addition, while some Ethernet controllers do return a collision count as part of the transmit status for each frame, many do not provide the SNMP/RMON driver with the exact number of collisions. Instead, the status indicates one of:

* OK (no deferral required, no collisions encountered) * Deferred (deferral required, but no collisions encountered) * 1 collision (one collision encountered, with or without deferral) * >1 collision (more than one collision encountered, with or without deferral) * Excessive collisions (16 collisions encountered) * Late collision (collision encountered after 511 bits transmitted)

With this type of controller, you cannot distinguish a frame that encountered two collisions from one that encountered fifteen. so it is hard to estimate the bandwidth "lost" due to collisions.

Finally, I will reiterate my position that collision rates are a virtually useless metric for determining network performance. (See my earlier post on this subject.) Seifert's Law of Networking #21: Measurements of unimportant parameters are meaningless.

-- Note added by Hansang Bae -In the WORST case scenario (i.e. the stations are at the maximum distance apart) a collision will take up to 84 byte-times to resolve itself. 64 bytes (minimum Ethernet size+FCS), 8 bytes for the preamble, and 12 bytes for the IFG.

84bytes is 672bits. It takes .1 microsecond to transmit one bit (10Mb/s =10,000,000bits/sec = 10,000bits/millisecond =10bits/microsecond = 1 bit/0.1microsecond) So the total time spent on one collision event is 67.2 microsecond (672bits * .1 microsecond) Now consider getting 100 collisions per second. So 100 X 67.2microsecond is 6,720 microsecond or 6.72 millisecond. 6.72ms/1sec comes out to .672% (6.72ms/1sec = .00672, in percentage, that's . 672%) That means that 99.328% of the channel is still available for data.

Here's another way to look at it. For every successful transmission, there was an equal number of collisions. This is 1:1 ratio or 100% collision rate. Or equivalently, 50% of the frames that goes out the NIC are collisions.

Assume that we are talking about an FTP transfer. Typically, FTP will use the 1518 max size and there will be an ACK (Acknowledgement) for every two packets. So you would see two 1518 frames and one ACK for both. So in a collision free world, we would see 2 frames of 1518 bytes and one ACK of 64 bytes. Throw in the preamble/SFD and the IFG to the mix and you get 2*(1518 + 8Preamble + 12 IFG) + 1*(64) = 3,140 bytes.

Now if we have 3 collisions (one collision for each successful frame) then you have to add another 3*84 (three frames taking up 84byte times - see #5 above). This comes out to 3,144

+ (3*84) = 3,396. So the ratio is 3,140/3,396 = .9246 or 92.46%.

That means even with 100% collision rate, we only lose about 7.53% of the bandwidth. Hardly anything to worry about! In the real world, you can expect 33% collision rate for an FTP session. Also for smaller size frames, the % of wasted bandwidth would be much greater. But then again, only large transfers tax Ethernet networks. ************************************************************************* * From: Question 51 Subject: How do I stop password-recovery on my routers?

"Password-recovery" might not be the best description. The feature locks out all access to the ROMMON.

You can do this on a 2600/3600 with the global configuration command "no service password-recovery". The feature is indeed tied to the ROMMON. You must have a minimum ROMMON version 11.1(17)AA on the 3600, as well as minimum IOS 11.2(12)P or 11.3(3)T. All ROMMON versions on the 2600 support this feature.

************************************************************************* * From: Question 52 Subject: How can I prevent SYN-Flood attack using CAR?

We are talking about all different kinds of floods (ICMP, SYN, UDP, etc) throughout this

post. Actually he did say that Sprint can filter on their end. I included in a different post the link to configure CAR to limit SYN attacks using web traffic as an example. Your solution looks like it would work too as their are multiple ways to configure traffic shaping.

Configure rate limiting for SYN packets. Refer to the following example:

interface {int} rate-limit output access-group 153 45000000 100000 100000 conform-action transmit exceed-action drop rate-limit output access-group 152 1000000 100000 100000 conform-action transmit exceed-action drop

access-list 152 permit tcp any host eq www access-list 153 permit tcp any host eq www established

In the above example, replace:

45000000 with the maximum link bandwidth 1000000 with a value that is between 50% and 30% of the SYN flood rate burst normal and burst max rates with accurate values Note that if you set the burst rate greater than 30%, many legitimate SYNs may be dropped. To get an idea of where to set the burst rate, use the show interfaces rate-limit command to display the conformed and exceeded rates for the interface. Your objective is to rate-limit the SYNs as little as necessary to get things working again.

WARNING: It is recommended that you first measure amount of SYN packets during normal state (before attacks occur) and use those values to limit. Review the numbers carefully before deploying this measure.

If an SYN attack is aimed against a particular host, consider installing an IP filtering package on that host. One such package is IP Filter. This can be found on http://coombs.anu.edu.au/ipfilter/ Refer to IP Filter Examples for implementation details. ************************************************************************* * From: Question 53 Subject: How do I setup a Multilink PPP?

You have to create a virtual-template interface with ip address information PPP then create an virtual-access interface whith that address

! multilink virtual-template 1 ! interface Virtual-Template1 ip unnumbered Loopback0 or ip address no ip mroute-cache ppp multilink ! interface Serial0 no ip address

encapsulation ppp no fair-queue ppp multilink ! interface Serial1 no ip address encapsulation ppp no fair-queue ppp multilink

************************************************************************* * From: Question 54 Subject: How do I setup ppp callback with dialer-pool?

This is a real hard stuff to do ppp callback with dialer-pool, there a some command are missing in your config, look at my example.... (also see: www.cisco.com/warp/public/cc/pd/ifaa/pa/much/tech/althb_wp.htm) ! username router1 callback-dialstring 749410 password 0 ect ! interface BRI0/0 no ip address no ip directed-broadcast

encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp callback accept ppp authentication chap ! interface BRI0/1 no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp callback accept ppp authentication chap ! interface Dialer1 ip unnumbered FastEthernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name router1 dialer pool 1 dialer enable-timeout 2

dialer string 749410 class test1 dialer-group 1 ppp authentication chap ! ! map-class dialer test1 dialer callback-server username dialer-list 1 protocol ip permit ************************************************************************* * From: Question 55 Subject: My configs are too large. What can I do?

The IOS configuration in the 2600 Series is stored in a 32 KB EEPROM. The ROMMON reserves 3 KB, leaving 29 KB for the IOS.You can use the "service compress-config" command to compress the configuration in the EEPROM. You can also load the configuration file from a TFTP server. ************************************************************************* * From: Question 56 Subject: What does Frame-relay LMI and Encapsulation really do/mean?

I think there is some confusion here about frame relay "encapsulation" and frame relay "lmi" (heartbeat/keepalives). Frame relay encapsulation is indeed significant end-to-end through the "cloud" between communicating DTE (router) equipment. Cisco encapsulation inserts an ethernet "type field" immediately after the 2 byte frame header which contains the DLCI, FECN, BECN, and DE fields. IETF (RFC 1490) encapsulation does not use ethernet type fields to identify the payload of the frame. Instead, IETF calls for the use of NLPID

codes (Network Layer Protocol Identifiers) which are common in the OSI environment.

NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP) The NLPID (CC, in the case of IP) will follow an Unnumbered Information UI control field, 03. If the payload does not have an NLPID assigned to it, (like IPX) then IETF suggests that an OUI field (organizationally unique identifier) followed by an ethernet type code (8137 for example, if IPX) will be used. Much like an 802.3 frame with SNAP, the type code of 8137 will be offset further into the frame, and not found immediately after the 2 byte frame header.

This encapsulation must be understood by the communicating routers at either edge of the 'cloud.' The cloud itself does not care what type of "encapsulation" is being used. It is strictly a DTE-DTE issue.

LMI is a link intergrity and PVC status verification protocol that IS locally significant between the router and the network interface. This protocol comes in 3 flavors: the 'original' Stratacom' (aka cisco) version, ANSI's T1.617 Annex D, and CCITT/ITU Q.933 Annex A. These protocols are often collectively referred to as "LMI." It is possible to run one version of LMI on the East User-Network Interface (UNI) and another version on the West UNI, as these protocols simply identify the status of the UNI link and the PVCs found on that link. Encapsulation, however, must match between the DTEs. It is interesting to note, however, that Cisco routers are smart enough to interpret the 'encapsulation' type being used on incoming frames. If both DTEs are Cisco routers, one router 'can' use Cisco encapsulation while the other router uses "IETF." The ability to communicate with Cisco routers using different encapsulation schemes gives the "appearance" that the encapsulation is locally significant. In fact, this (cisco) ability to communicate is made possible by the smarts cisco builds into its implementation.

When any other vendor's DTE is involved, communications will fail if the "encapsulation" on both DTEs is not identical. Even if one of the routers is a cisco. (Unless, of course, the other vendor saw fit to build in the smarts that cisco has done. But I am not aware of any vendor that has this capability other than cisco....)

Hex protocol traces are available if any one would like to see..... ************************************************************************* * From: Question 58 Subject: How do I make a T1 Cross-over cable?

For *T1* I've used the following pinouts for crossovers: T1/E1 crossover (for PRI and CAS back-to-back connection): RJ-45 ----- RJ-45 1 ----- 4 2 ----- 5 4 ----- 1 5 ----- 2

RJ-45 ----- DB-15 1 ----- 1 2 ----- 9 4 ----- 3 5 ----- 11

DB-15 ----- DB-15 1 ----- 3 3 ----- 1

9 ----- 11 11 ----- 9

For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same as for T1, except that I guess you need to have pins 3 and 6 (shield/ground) connected.

I don't suppose I should be pointing people to Juniper's web site, but anyway ... http://www.juniper.net/techpubs/hardware/m160/m160-picinstall/html/pinout5.html ************************************************************************* * From: Question 59 Subject: Can I use a router to simulate BRI switch?

In current IOS (12.1(3)T and above, I think), you can configure PRIs back-to-back between routers: configure one side to be network side (isdn protocol-emulate network) and the other to be user side (default; isdn protocol-emulate user). The supported switchtypes are primary-net5 and primary-ni.

As the original posting had alluded, we have SOME support for network-side BRI - but this is only on certain VIC cards due to hardware restrictions http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft

/121limit/121x/121xi/121xi_3/dt_brint.htm ************************************************************************* *

From: Question 60 Subject: How do I use Policy Based Routing?

Keep in mind that Policy routing works on the INBOUND interface. If you think about it, it makes sense. The decision to hand off the packet has to be made as it's coming into the router and not on the egress interface.

!Determine who's eligible to be policy routed ! access-list 1 permit 10.1.1.0 0.0.0.255 ! !Figure out where you want to send the pkts based on the source IP ! route-map RouteMeBaby permit 10 !To whom shoud this policy apply to? match ip address 1 ! !Where should you redirect it to? Should use both. If one is !omitted, the value will be retrived from the routing table !which may or may not be what you wanted ! set ip next-hop ROUTER_2's_SERIAL_IP set interface s0

! interface E0 ip addr blah blah blah ip policy route-map RouteMeBaby ! If your IOS supports it, enable fast switching for PBR ip route-cache policy

*IF* fast switching is supported (may be 11.3 an up or it could be 12.0 and up... do a

sho ip cache policy

if not, do a

sho ip policy ************************************************************************* * From: Question 61 Subject: How do I setup a VPN tunnel using pre-shared keys?

Dror-John is right. There is a LOT to know about when you get into encryption, and like any other branch of this industry knowing the hows & whys will help your configs and troubleshooting enormously. The CCO IPSec Product Support page has a wealth of useful info and examples. www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?

p=Internetworking:IPSec

RFCs 2401-2412 are not too taxing either. I've added below a very basic example using pre-shared keys, DES encryption and SHA-1 hashing algorithm. Site 1 is 10.0.1.0/24, site 2 10.0.2.0/24 and the serial i/fs 10.0.4.0/30 (& assumes you have sub-i/fs). Names and things in capitals.

Router1(config)# ! crypto isakmp policy 1 ! Define your ISAKMP policy settings group 2 ! 'group' defines the modulus for Diffie-Hellman calculation. ! Default is group 1, less CPU work, but less secure. authentication pre-share crypto isakmp key SHARED_KEY_HERE address 10.0.4.2 ! Your shared key, and what peer i/f it's used for. ! crypto ipsec transform-set TS1 ah-sha-hmac esp-des ! Define what happens to the traffic. AH & ESP are two IPSec protocols. ! crypto map TO_SITE_2 10 ipsec-isakmp ! Define crypto-map set peer 10.0.4.2

! The other side set transform-set TS1 ! Which transform-set to use match address 150 ! What traffic to include ! interface Serial1/0.0 ip address 10.0.4.1 255.255.255.252 crypto map TO_SITE_2 ! Apply the crypto-map to the i/f ! access-list 150 permit ip 10.0.1.0 0.0.0.255 any ! Include traffic coming from here. I've said anything going out, for ! there may be places beyond Site 2, but Cisco says this can cause ! problems for multicast traffic. This also assumes no traffic will be ! going to Site 2 from somewhere else _through_ Site 1. Perhaps ! best to err on the more specific side. However it is a good idea ! to not include your serial i/fs, so you can still get at the far router ! if there's a problem.

Router2(config)# !

crypto isakmp policy 1 group 2 authentication pre-share crypto isakmp key SHARED_KEY_HERE address 10.0.4.1 ! crypto ipsec transform-set TS1 ah-sha-hmac esp-des ! crypto map TO_SITE_1 10 ipsec-isakmp set peer 10.0.4.1 set transform-set TS1 match address 150 ! interface Serial1/0.0 ip address 10.0.4.2 255.255.255.252 crypto map TO_SITE_1 ! access-list 150 permit ip 10.0.2.0 0.0.0.255 any ************************************************************************* * From: Question 62 Subject: Why does one packet always get dropped on the last hop of traceroute?

And the winner is ... Max. Inspired by (I think) sec. 4.3.2.8 in RFC-1812, we rate-limit our ICMP message generation to 1/sec/destination. This can be adjusted by the "ip icmp rate-

limit unreachable" command. More interesting than simply causing an oddity for traceroute, ICMP rate-limiting can cause intermittent PMTUD blackholes (or I should say perhaps "PMTUD brownholes".) If you're doing PMTUD (as alas anyone running Windows defaults to), then you might want to ease the rate limit on DF unreachables. ************************************************************************* * From: Question 63 Subject: How to setup NATing based on outgoing interface to two different ISPs.

> > > > > >

ISP1 \ \ -------------Cisco 2621 | /

CableModem /

--------------------------------> > > | Firewall | | Mail Server

> -------------------> Company LAN

> > We just installed a T1 to the Internet to co-exist with our Cablemodem. I

> am looking at ways to implement this. We currently have a Cisco 2621 with > the T1 connection and a Linux Box Masqing cablemodem Internet access now. > My question is, what would be the best way to implement this? > > I proposed we connect the Cablemodem into the 2621 (FEthernet interface) > next to the T1 connection (separate ISP's btw) and NAT.

That will work. But you need to use route-maps to match the outgoing interface (or nexthop) when you define your NAT pool. In a nutshell:

int fa0/0 ip addr blah ip nat outside ! int fa0/1 ip addr blah ip nat outside ! ip nat poop ISP1 ISP1_Valid_range_here prefix-length blah ip nat pool Cable Cable_Valid_range_here prefix-length blah ! ! These uses below are allowed to use the NAT service. access-list 1 permit 10.0.0.0 0.255.255.255

! route-map ISP1 perm 10 match ip addr 1 match interface fa0/0 ! route-map Cable perm 10 match ip addr 1 match interfa fa0/1 ************************************************************************* * From: Question 64 Subject: Sample config of using VIC BRI interfaces as an ISDN switch.

Enter this under stupid router tricks (it's got to be more expensive than an ISDN emulator, but not if you've got the parts lying around).

Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should work too), IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x

R1----S/T crossover cable----Switch----S/T crossover----R2

These configs let you do ISDN BRI dialup between two routers, using a third router as an ISDN switch. Call setup is flakey but otherwise it seems to work once the call is up. Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too)

! isdn switch-type basic-net3 x25 routing ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! whatever ! interface BRI1/0 description to R1 no ip address isdn switch-type basic-net3 isdn overlap-receiving isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn x25 dchannel isdn skipsend-idverify ! ! Basic X.25 over D channel, so you can run pad commands ! For always on, see the Cisco docs !

interface BRI1/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5552000 clns mtu 1514 ! interface BRI1/1 description to R2 no ip address isdn switch-type basic-net3 isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn skipsend-idverify ! interface BRI1/1:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551000 clns mtu 1514

! x25 route 5551111 interface BRI1/1:0 x25 route 5552222 interface BRI1/0:0 ! voice-port 1/0/0 ! voice-port 1/0/1 ! dial-peer voice 1 pots incoming called-number 6045551111 destination-pattern 6045552222 direct-inward-dial port 1/0/0 ! dial-peer voice 2 pots incoming called-number 6045552222 destination-pattern 6045551111 direct-inward-dial port 1/0/1 ! dial-peer voice 10 voip destination-pattern 6045552222

session target ipv4:10.0.0.1 codec clear-channel ! dial-peer voice 20 voip destination-pattern 6045551111 session target ipv4:10.0.0.1 codec clear-channel !

R1, R2 config (just reverse the 5551111/5552222 and 1.1.1.1/1.1.1.2)

! isdn switch-type basic-net3 ! interface BRI0/0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp dialer string 6045552222 class DOV dialer-group 1 isdn switch-type basic-net3 isdn incoming-voice data isdn calling-number 6045551111

isdn x25 dchannel ! interface BRI0/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551111 ! map-class dialer DOV dialer voice-call dialer-list 1 protocol ip permit !

************************************************************************* * From: Question 65 Subject: What kind of memory does the 2500 use?

Parity. 70ns, 72-pin FPM w/ tin leads. ************************************************************************* * From: Question 66

Subject: How do I make an Ethernet Cross-over cable? Try this as a crossover cable.

1 to 3 2 to 6 3 to 1 6 to 2 4 to 7 5 to 8 7 to 4 8 to 5

Basically in a traditional cross-over, which is a 10 BaseT and a 100 BaseTX, you are swapping the Green Pair with the Orange Pair, but not so commonly, you have a 100 BaseT4 cross-over cable (which just happens to also be a 1000 BaseT cross-over cable), not only do you swap over the Green and Orange Pair, but you also swap over the Blue and Brown Pair.

The silly part is that in Cisco's Documentation, it show the schematic on a traditional crossover cable, but you will see the pin-outs of the 1000BaseT Interface.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/hig

/hgcable.htm#xtocid42327

I have just made comment to Cisco About this.

************************************************************************* * From: Question 67 Subject: How do I use NBAR to block NIMDA?

See: http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml

> Here's my working config (with thanks to John Kaberna and Chris > Martin) on a 2610 router: > > > ip cef > > class-map match-any http-hacks > match protocol http url "*default.ida*" > match protocol http url "*x.ida*" > match protocol http url "*.ida*" > match protocol http url "*cmd.exe*" > match protocol http url "*root.exe*" > match protocol http url "*_vti_bin*" > match protocol http url "*_mem_bin*" > match protocol http mime "*readme.exe*" > match protocol http mime "*readme.eml*"

> > policy-map mark-inbound-http-hacks > class http-hacks > > > interface Serial0/0 > ip access-group 101 in > service-policy input mark-inbound-http-hacks > > interface Ethernet0/0 > ip access-group 101 out > > access-list 101 deny ip any any dscp 1 log > access-lst 101 permit ip any any set ip dscp 1

************************************************************************* * From: Question 68 Subject: What is a FECN/BECN and does it mean anything?

First, when you use FR, it is not over a host to router connection. FR is going to be router to ingress-FR-switch through cloud to egress-FR-switch to destination-router. With that in mind, what you have to worry about with exceeding your CIR is the ingress FR switch. FECN and BECNs are different mechanisms which I will explain in a minute.

Let me explain the algorithm that FR switches use to police your bandwidth usage. It is a token/credit system that is implemented on the *ingress* FR switch (so the ingress switch is the traffic cop). Keep in mind that everything that I am about to describe occurs entirely within the FR switch, so when I say that you are given tokens to transmit, I mean that in the software of the FR switch these tokens are kept track of, not that the FR switch transmits tokens to your router to use for each frame. I'm going to start with a simple scenario in which you only have a CIR and an EIR of 0. Anyway, every second (which is the default interval, or Tc for those that want the real term) you get Bc tokens which is essentially permission to transmit that many tokens worth of data over the time of that second. Bc tokens decrement against the CIR, which is to say that Bc tokens are used to regulate the CIR not the EIR (I will describe Be tokens later). At the end of the second you are given more tokens for use during the next second. Every time the FR switch receives data from the router, it subtracts tokens. What happens if you run out of tokens is that every frame will be discarded until the next interval at which point you get more tokens. If it receives a frame marked with a DE bit, it should discard it automatically.

However, most people don't buy FR service with a EIR of zero. In this case where you have a CIR and an EIR, the token credit system is a little more complex. Every time interval (Tc) you get Bc tokens and Be tokens. In the case that you are not setting the DE on any frames, data received by the FR switch decrements credits from the Bc pool until exhausted. Suppose the FR switch now receives a frame but there are no Bc tokens left (you will get more Bc tokens in the next time interval) at the time. The FR switch will check for a Be token, and if you have one, it will mark the DE field and transmit the frame across the network and decrement tokens from the Be pool. Keep in mind that the Be pool represents your burst capabilities over and above the CIR. IOW, Be tokens keep track of the EIR and Bc tokens keep track of the CIR. Suppose the Be pool is exhausted and the Bc pool is exhausted and another frame arrives. It is dropped, period. At the next time interval you will get more Bc and Be tokens to use.

What happens if you mark your own DE frames? Well, when the ingress FR switch receives a non DE-marked frame, it will subtract against the Bc token pool. If it receives a DE-marked frame, it will subtract against the Be token pool. If it receives a non DEmarked frame but there are no Bc tokens left, the FR switch will mark it DE, transmit it and subtract Be tokens. If it receives any frame (regardless of DE or non DE-marked) and there are no Bc or Be tokens left, the frame is dropped. So really the use of marking your own DE frames simply allows you to be the master of your own destiny by categorizing your own data intelligently instead of letting the FR switch do it based simply on the order of

arrival. And the reason you want to mark your own packets has to do with how the network handles congestion (see below where I talk about BECN, etc.)

A couple of points are worth making. First, you cannot accumulate tokens over time. There is a maximum amount which is the value of the committed burst (Bc) and this value has a mathematical relationship with the CIR (CIR = Bc/Tc also EIR = Be/Tc). In almost all cases Tc is set to 1 second, so the result is that CIR = Bc and EIR = Be. So if you have the maximum number of tokens in your Bc token pool (max amount = Bc), and you send no frames for the next hour, you will still only have Bc amount of tokens when you send the next frame. Second, the above description is not 100% accurate so don't use it to teach a class of newbie students. I simplified a number of things for the sake of getting the concepts across, and in the process I sacrificed the accuracy of some of the information. For instance, you don't get a lump of tokens all at once as I described--in reality, your tokens replenish gradually over the Tc interval. Third, you only need a single token (which represents a byte of data) to transmit a frame. So if you are out of Bc tokens and you only have one Be token left, even if you send a 1500 byte frame, it will still be transmitted as DE and the last token will be subtracted. Ok, so how does the FR network handle DE or non-DE frames? Different vendors of FR switches may be designed to operate differently, but I believe the following is the normal behavior. If a node within the cloud starts to experience *mild* congestion, it starts setting the FECN, BECN, or both bits on frames traversing the node. Routers connected to the FR cloud that receive BECN bits should slow their transmission by buffering frames and sending them slightly later. Routers that receive FECN bits might (if there is a way) signal the sending router to slow transmission by buffering its frames. If a node starts experiencing moderate congestion, it will start dropping frames marked DE. At heavy and severe congestion levels, the node will start dropping other traffic as well. Depending on vendor, there may be many levels of priority traffic (i.e. gold vs. bronze customers) to determine exactly which frames to drop before others when experiencing heavy and severe levels of congestion.

>> Say I have a CIR of 512 Kbps. Say the users in the site are generating 2 >> Mbps data (internet surfing, email, etc) and I'm not using Discard

>> Eligible(because I wouldn't know how to set that up anyway) >> >> Hear is my guesswork. The routers may try to send more than 256kbps. The >> switches will start sending FECN's and BECN's.

They shouldn't start generating FECNs and BECNs unless some FR switch along the path is overloaded, and this (in theory) shouldn't happen since you are well below your CIR. IOW, the network should be engineered to be able to handle everyone's CIR on a statistical basis. If this were to happen on a regular basis, I would configure my router to ignore BECNs/FECNs because I am paying for a CIR of 512k, and I'll be darned if I'll let my NSP force my routers to throttle back when I am only using half of my CIR. They are "committing" to 512k, so I want my 512k, not "256k if the network feels like it".

>> The routers will slow down sending rates. If a user is sending data to >> a router faster than it can route, what will it do? Does TCP Window sizes >> and acknowledgements between the PC's limit the rate at which the router >> will receive data, so that it is unlikely ever to be too busy?

Remember that TCP windowing is an end-to-end mechanism, so routers in between aren't part of the equation. PC's rarely send data *to* a router, but rather *through* a router. So if a user is sending data through a router faster than it can route, the buffers in the router fill up, overflow, and packets get dropped, resulting in retransmissions, and therefore the starting over of the TCP windowing size.

>> If data is dropped by the router using DE, will the TCP resend process >> between the PC's be the normal recovery process?

Routers don't drop DE frames. That is a FR switch function, not a router function. But,

yes, ultimately TCP is the process by which lost packets will be retransmitted. ************************************************************************* * From: Question 70 Subject: How do I stop logging (generating snmp trap) for up/down interfaces?

Use the interface commands: no logging event link-status no snmp trap link-status

************************************************************************* * From: Question 71 Subject: How do I setup the variables to do tftpdnld in rommon?

You can use tftp, if available ... if not no luck ... xmodem using console or another flash. and I think you can upgrade boot rom to support the command tftpdlnd but not sure about it:

IP_ADDRESS=10.1.1.16 IP_SUBNET_MASK=255.255.255.0 DEFAULT_GATEWAY=10.1.1.2 TFTP_SERVER=10.1.1.2 TFTP_FILE=ios.bin

FE_SPEED_MODE=0 TFTP_VERBOSE=1 tftpdnld -d

************************************************************************* * From: Question 72 Subject: What is the order of operation in terms how a packet is processed?

From the book "Inside Cisco IOS Architechture": 1) compression/decompression 2) Encryption 3) Inbound ACL 4) Unicast revese path checking 5) Input rate limiting 6) Broadcast handling (ip helpers) 7) Decrement TTL 8) Inspect sybstem (FW features) 9) Outside to Inside NAT 10) Handle router alert flags in the IP header 11) Search for outbound interface in the routing table 12) Policy routing 13) Handel web cache redirects

14) Inside to Outside NAT 15) Encryption 16) Output ACL 17) Final Inspect check 18) TCP Intercept processing. ************************************************************************* * From: Question 73 Subject: What are the differnt T1 jack type codes?

RJ48-BLAH where BLAH == "C" Identifies a surface or flushmounted jack. "W" Identifies a wallmounted jack. "S" Identifies a single-line jack. "M" Identifies a multi-line jack. "X" Identifies a complex multi-line or series-type jack.

"X" variety can automatically loop up the line if you pull out the cable so it's usually call a "smartjack" ************************************************************************* * From: Question 74 Subject: How do I show just one interface's configuration?

My all time favourite "trick" is "show run int xx"" where x is the interface in question ************************************************************************* * From: Question 75 Subject: How can I script a network reachability test?

Today a trouble ticket was elevated to our design team. It seems a bunch of users are locking up while using Outlook with OpenMail servers. Not sure if it was network, Outlook, OpenMail server, or combination of the above. Since the users were somewhat senior level folks, it was not realistic to have to jot down detailed notes about when it happened etc.

Since the PCs were all Wintel based, I wrote this in a hurry to include in their "START" menu. Not being able to use Unix tools pretty much tied my hands, and I didn't put in a lot of error checking, but hey, I only had about 30 minutes to whip this up.

Although it's a bit simple hope you find it somewhat useful.

------ BEGIN BATCH FILE ---TITLE TESTING THE NETWORK @echo off cls echo. echo. echo.

echo. echo. echo ********************************************************** echo ********************************************************** echo ********************************************************** echo * echo * echo * echo * echo * echo * echo * echo * echo * Running network test........ * * * *

This windows will close automatically when the testing has been completed. * Please call XYZ at XYZ if you have any questions * * *

echo ********************************************************** echo ********************************************************** echo ********************************************************** : : Create a temp folder for our use and start with some flower : box delimeters : if not exist c:\mailte$t md c:\mailte$t

echo ***************************************>> c:\mailte$t\%username%.txt echo ***************************************>> c:\mailte$t\%username%.txt : : Pipe in some blank lines and date time stamp. echo. >> c:\mailte$t\%username%.txt echo.|date | find /i "current" >> c:\mailte$t\%username%.txt echo.|time | find /i "current" >> c:\mailte$t\%username%.txt echo. >> c:\mailte$t\%username%.txt : : Start a trace route w/o Rev-DNS lookups to our servers. : The server name is given as a command line argument. echo TRACE ROUTING TO %1 >>c:\mailte$t\%username%.txt tracert -d %1.blah.foobar.com >>c:\mailte$t\%username%.txt echo. >> c:\mailte$t\%username%.txt : : ping with max sized ICMP packets echo PINGING to %1 >>c:\mailte$t\%username%.txt : :!!!unwrap the next two lines!!! ping -L 1472 %1.blah.foobar.com | find /i "Reply from" >>c:\mailte$t\%username%.txt :

echo. >> c:\mailte$t\%username%.txt echo. >> c:\mailte$t\%username%.txt : : : : ftp -s:c:\ftpcmd.txt x.x.2.104 exit Now ftp it to the 2.104 server using the script file C:\ftpcmd.txt

Contents of ftpcmd.txt file: cisco cisco1 put c:\mailte$t\*.txt bye exit

Basically, it's username password ftp command ftp command

etc. etc.

************************************************************************* * From: Question 76 Subject: Where can I find a list of undocumented IOS commands?
http://www.boerland.com/dotu/

************************************************************************* * From: Question 77 Subject: Where can I find information on securing or hardening Cisco routers?

Cisco Router Hardening Step-by-Step

http://rr.sans.org/firewall/router2.php

Improving Security on Cisco Routers:

http://www.cisco.com/warp/public/707/21.html

Cisco PSIRT Advisories

http://www.cisco.com/warp/public/707/advisory.html

Cisco's Security Technical Tips

http://www.cisco.com/warp/public/707/index.shtml

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

http://www.cisco.com/warp/public/707/newsflash.html

Characterizing and Tracing Packet Floods Using Cisco Routers

http://www.cisco.com/warp/public/707/22.html

Denial of Service (DoS) Attack Resources

http://www.denialinfo.com/

************************************************************************* * From: Question 78 Subject: How can I connect two Cisco routers back to back through the AUX ports?

Connecting Routers Back-to-Back Through the AUX Ports

http://www.cisco.com/warp/public/793/access_dial/auxback.html

Configuring AUX-to-AUX Port Async Backup with Dialer Watch

http://www.cisco.com/warp/public/471/aux-aux-watch.html

Using the AUX Port on Cisco Routers for IP/IPX Router Communications
http://www.networkingunlimited.com/white006.html

*************************************************************************

* From: Question 79 Subject: How do I use Secure Shell (SSH) on Cisco devices?

Configuring Secure Shell (SSH) on Cisco IOS Routers

http://www.cisco.com/warp/public/707/ssh.shtml

How to Configure SSH on Catalyst Switches Running CatOS

http://www.cisco.com/warp/public/707/ssh_cat_switches.html

************************************************************************* * From: Question 80 Subject: Can I use a /31 address space for my serial point-to-point interfaces?

It depends. If you have 12.2.x release of IOS, you can use /31 address. For example: interface Serial5/1 ip address 192.168.1.1 255.255.255.254

See the following for more information:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t

/122t2/ft31addr.htm ************************************************************************* *

From: Question 81 Subject: How do i see log messages on the router console?

Log messages are broken into 7 levels, and they can go to 3 places: - Console (console logging) - Monitor (any line configured with "monitor" or with the "terninal monitor" exec command) - trap (syslog) The command to turn up log messages is "logging (place) (level)" In your case, you probably want logging console informational for minumum messages or

logging console debug for debugging messages.

Tip: console logging is disabled by default because the console serial port makes 1 interrupt per character, and has the highest prioriy of any interrupt on the box. If you want to do console logging, you should probably also rate limit the messages, since an uncontrolled flood of messages to the console can literally cause the box to slow to a crawl and fail. In most cases, it is a better idea to telnet to the box, and debug using 'monitor' logging and "terminal monitor" on the vty. ************************************************************************* * From: Question 82 Subject: What is my overhead of using IPSec

IPSec Overhead [ from another net posting ] esp-des = 24 bytes esp-3des = 24 bytes ah-sha-hmac = 24 bytes ah-md5-hmac = 24 bytes esp-md5-hmac = 12 bytes esp-sha-hmac = 12 bytes standard header = 20 bytes

esp-des/esp-md5-hmac = 56 bytes esp-3des/esp-sha-hmac = 56 bytes esp-des/ah-sha-hmac = 68 bytes esp-des/ah-md5-hmac = 68 bytes esp-des/ah-sha-hmac/esp-sha-hmac = 80 bytes

other gre = 24 bytes

For example I use ESP over AH with a GRE tunnel in tunnel mode. 20 (IP header) + 24 (AH header) + 16 (ESP header) + 4 (GRE) +2 (ESP trailer) My MTU is 1500 - 66 = 1434 ************************************************************************* * From: Question 83

Subject: What is the pinout for the DB9 to RJ45 connector?

ok, I just tested the pinouts of a DB9-RJ45 adapter that I have her...this is what I found:

DB9 RJ45 1 2 3 4 5 6 7 8 9 - nothing 6 3 2 4&5 together 7 1 8

- nothing

************************************************************************* * From: Question 84 Subject: Should I use a T1, Cable modem or DSL for Internet connections?

This question comes up often enough it probably should be in the FAQ. Each has its advantages and each has its weaknesses. Which is best will depend upon the specific business requirements and how the network is used.

T1/E1 - Providers tend to treat T1's as serious business products. They tend to be better managed and service response to outages is usually quick. Data rate is a constant, if you order 1.544Mbps, you get 1.544 Mbps in both directions. (Note: fractional T1 may be available with asymmetric capacity provisioned).

DSL - Providers consider this a "consumer grade" offering. Users experience has been more frequent outages. More important, response to failures that do occur tends to be slow, particularly if the local telco providing the copper is competing with the DSL provider. ADSL provides asymmetric data rates, but "business grade" offerings, such as IDSL and SDSL provide the same data rates both upstream and downstream. High data rates are only available to users close to the telephone central office.

Cable - Shared medium subject to fluctuating bandwidth availability. Reliability will depend upon the local cable company, and can vary widely. On average, tends to be about as available as DSL. Only available in areas wired for cable TV, which could limit availability in business parks and other non-residencial areas. Also only available where the cable franchise has chosen to offer the service.

Other Considerations (feel free to add ones I've missed)

Provisioning of redundant connectivity for servers offered to the public versus internal users browsing the Internet versus VPNs for cost savings all have very different requirements and solutions suitable for one may not work with the others.

BGP support for multihoming is typically only available on T1 links. But then again, if you're only surfing or VPNing there are easier ways to get redundancy that do not require BGP.

In most markets, you can buy a lot of ISDN backup for the price difference between DSL/Cable and T1. Many DSL/Cable providers will block VPN and inbound traffic to your servers unless you purchase their premium "business" service. Make sure the conditions of service are compatible with your needs.

DSL is rarely good backup for T1 because both share the same single points of failure in the telco local loop provisioning. Cable can provide more diversity as a backup, but may still be sharing common single points of failure such as power poles. ************************************************************************* * From: Question 85 Subject: How do I change the time length of 15 mins that is used when displaying the Show ISDN history command?

You can try the command isdn-mib retain-timer ************************************************************************* * From: Question 86 Subject: Why do I see "double" characters when I telnet into my router?

>I have a 2500 router, and it's display double commands as shown below. >cclloocckk rraattee 6644000000 >what can I do to fix it. Thanks.

Looks to me like you have local echoing configured on your terminal emulator. Turn it off and let the router do all the echoing. ************************************************************************* * From: Question 87 Subject: How do I see power-supply failures via SNMP?

you need two commands

set snmp trap enable chassis set snmp trap (ip address of snmp host) (public community string)

the first one tells the switch to send traps on chassis events, like a power supply failing. the second tells the switch where to send the trap ************************************************************************* * From: Question 88 Subject: How do I change the timer for tx/rxload when doing "show int" command?

Interface command: load-interval IN_SECONDS ************************************************************************* * From: Question 89 Subject: How do I setup FR End-to-End keepalives?

I believe so. Just so we're clear (to the original poster) bandwidth on demand is the ability to kick up a line when you reach a certain threshold. floating static can't be used since the lower admin-distance route will never get a chance to float up.

FR e-t-e can be setup as follows:

int s0/0 blah frame-relay class end-to-end-keepalive blah ! map-class frame-relay end-to-end-keepalive frame-relay end-to-end keepalive mode bidirectional ************************************************************************* * From: Question 90 Subject: How do I setup NAT and Port forwarding?

int e0/0 desc This is the inside address using RFC address ip addr 10.1.1.1 255.255.255.0 ip nat inside ! int s0/0 desc This goes to the ISP using assigned address x.x.x.1/30 ip address x.x.x.1 255.255.255.252

ip nat outside ! ! Next line determines who will get to use the NAT ! Anyone coming from 10.1.1.0 address will be NATed. access-list 1 permit 10.1.1.0 0.0.0.255 ! ! Next line assumes that you want to use one IP for everyone ! and use the port address translation. In your case, you could ! actually use one to one translation. ! ip nat inside source list 1 interface serial0/0 overload ! !Set up a static translation so you can telnet into your server !Assume your server is at 10.1.1.5 ! ip nat inside source static tcp 10.1.1.5 23 x.x.x.1 23 ! !or forward http traffic to your 10.1.1.4 server ! ip nat inside source static tcp 10.1.1.4 80 x.x.x.1 80

*************************************************************************

* From: Question 91 Subject: How can I policy-route router generated packets?

You need a 'ip local policy route-map ROUTE_MAP_NAME if you want traffic sourced from the router to go through policy (ie: pings). ************************************************************************* * From: Question 92 Subject: Is there another way to upload my IOS w/o a tftp server?

Here's what I do when I need to upgrade a router's IOS and I don't have LAN or sync serial access to it for TFTP purposes. 1. Plug the following code into the router to configure it for PPP on the AUX port:

interface Async1 ip address 192.168.255.254 255.255.255.252 encapsulation ppp no ip route-cache async default routing async mode dedicated ! ip default-gateway 192.168.255.253

! line con 0 line aux 0 no exec exec-timeout 0 0 modem InOut transport input all stopbits 1 rxspeed 38400 txspeed 38400 flowcontrol hardware

2. Configure a "dialup networking" entry on my Windows PC using the ULL-MODEM driver available from the following Cisco URL:
http://www.cisco.com/warp/public/471/103.html

Configure the dialup networking entry to use 192.168.255.253 as the IP ddress of the dialing interface. 3. Start up the TFTP server on my Windows PC. 4. Connect to the router from my Windows PC using the dialup networking entry 5. Open up the router console and use regular TFTP commands to pull the mage across.

Depending on what family of router you have (2500, 2600) your AUX port will accommodate up to 38400 (older families) or 115200 (newer families).

************************************************************************* * From: Question 93 Subject: What does the keyword EXTENDABLE mean when doing NAT?

From: http://www.cisco.com/warp/public/701/60.html "Extendable" static translations:

The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address. ip nat inside source static <localaddr> <globaladdr> extendable

Some customers want to use more than one service provider and translate into each provider's address space. You can use route-maps to base the selection of global address pool on output interface as well as an access-list match. Following is an example:

ip nat pool provider1-space ... ip nat pool provider2-space ... ip nat inside source route-map provider1-map pool provider1-space ip nat inside source route-map provider2-map pool provider2-space ! route-map provider1-map permit 10 match ip address 1 match interface Serial0/0

! route-map provider2-map permit 10 match ip address 1 match interface Serial0/1 . . .

Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation. ************************************************************************* * From: Question 94 Subject: Where can I get some third party icons for my Visio program?

Check out www.altimatech.com they sell a product called netzoom that has a great cisco library that they keep up to date, they even take requests! ************************************************************************* * From: Question 95 Subject: Can you help me interpret the output fomr "Looking Glass" (BGP?)

>I am learning BGP. >I notice a lot of our engineers where I work use looking glass at >www.traceroute.org to get answers to a lot of their questions. >Unfortunately it's hard to get them to give me a seminar. >Looking glass isn't covered in my cisco press books. >I am having a hard time grasping when I would need to use looking >glass. >and particularly how to use it. > >I put in an ameritrade address and it gives me the following. > >Query: bgp >Addr: 64.236.2.194 >BGP routing table entry for 64.236.0.0/16, version 89281795 >Paths: (2 available, best #2) > Not advertised to any peer > 1668 > > > 66.185.128.93 (metric 445601) from 165.117.1.194 (165.117.1.194) Origin IGP, metric 4294967294, localpref 105, valid, internal Community: 2548:177 2548:209 2548:666 3706:115

> 1668

> >

66.185.128.51 (metric 410701) from 165.117.1.166 (165.117.1.166) Origin IGP, metric 4294967294, localpref 105, valid, internal,

>best > > > >What peer problems would arise where I may need this information? >especially considering I would need to have a peer address to put in >in the first place. This is usually used to confirm that a route is being advertised by the proper ISP. You don't put peer addresses in, you put destination network addresses in. >I see there are communities. not sure who the community members are or >what the parameters contained in the community attribs are. Any way to >find out? Community: 2548:177 2548:317 2548:666 3706:164

Most communities don't have standard meanings. Each AS assigns meanings to the communities that it cares about. By convention, communities are formed by concatenating the ASN that's using the community with a second number that the AS network administrators assign, so the communities shown above are meaningful to AS 2548 and AS 3706. Communities are often used by ISPs to allow their customers to influence routing parameters; for instance, the customer can often send communities that control what localpref the ISP assigns to the routes.

>Any good hints/web-links on how to use or get the most out of the >looking glass site would be appreciated.

There's nothing really special about the looking glass, it's just showing you the output of "show ip bgp" (and other router commands). It's no different from doing it on your own routers, but the looking glass lets you do it from outside your network, so you can tell whether a problem is specific to your network or more widespread.

>Thank you for that enlightening input. >This time I queried.

>Query: bgp >Addr: 216.202.0.0 >It is a Genuity address. > >Here is the output below. >Could someone explain >" Advertised to non peer-group peers: > 198.32.187.122 " this belongs to : Exchange Point Blocks (NET-EP-)

That's a BGP neighbor of the looking glass router, which the router will share this route with. >Also Genuity actually owns AS number "1" (Very prestigious). >from the first entry >"4.24.7.77 (metric 345601) from 165.117.1.127"

> it looks like Genuity 4.24.x.x is learning this from Digex >165.117.1.127 >Why would Genuity learn their own address from Digex.

No, it means that *this* router (Digex's router at MAE-EAST) learned the route from 165.117.1.127. Since Digex doesn't connect to Genuity at MAE-EAST (tier 1 ISPs use private peering amongst each other, we only use the public exchanges to connect with smaller ISPs), it has to learn Genuity routes via the Digex backbone.

>Also could I assume that just because there is no path with AOL in it >that AOL doesn't have a path to them?

No. The looking glass is just showing the routes from Digex to the destination. Why would traffic from Digex to Genuity go through AOL? ************************************************************************* * From: Question 96 Subject: When using Tunnel with an interface that has an ACL, what happens?

>I'm doing an IP tunnel between 2 routers with the command >interface tunnel which has the ethernet0 source. >Is the access-list applied on the ethernet0 inbound although filter the >tunnel traffic ?

Yes. When traffic arrives, it will first be processed by the ethernet interface's inbound access list. If it is permitted in, the router will then de-encapsulate the tunnel traffic, and it

will be processed by the tunnel interface's inbound access list. ************************************************************************* * From: Question 97 Subject: Do I need a Xover cable when using 1000Base-T? Answer by: rich@richseifert.com (Rich Seifert)

> It guess it depends on the 1000baseT NICs. On mine, I've used both a > crossover cable and a stright thru cable just fine to connect two NICs. > They autonegotiate

Correct. First of all, 1000BASE-T *requires* Auto-Negotiation; it isn't designed to work without it. Second, most 1000BASE-T equipment implements a function that detects whether the cable is straight-through or crossover, and automatically configures itself to work either way. (During the startup training, it can tell how the pairs are connected, and connect each pair to the appropriate decoder module.) ************************************************************************* * From: Question 98 Subject: How dow I break the "Rule of Ten" for BGP Load balancing? Answer by: "Cajun" <cajun@cyberspace.org>

That's not true. BGP WILL join two lines AND load balance across them. The trick is, you have to make every single one of the "Rule of Ten" rules equal; which is not a difficult thing to do. Weights, MED's, Local Prefence, AS-Path, etc, will all most likely be identical, provided both T1's come from the same provider (yes, I know he said they're different providers.) You can load-balance with BGP across two links, provided the links terminate on the same router on both end. With everything else being equal, BGP will snag on the last rule, using the IP address of the interfaces to decide which path to take. All you have to do

is break that last rule and you're home free.

Here's how you do it: 1) Place static routes on each router pointing across each link to get to the other's loopback address. 2) Set up your neighbor statements with each other's loopback address. 3) Put in a neighbor statement with an update-source of your loopback address. 4) Enter another neighbor statement with ebgp-multihop.

BAM! You're done. You've just now broken the "Rule of Ten." BGP will have no choice but to enter two routes into the routing table, which will load balance. ************************************************************************* * From: Question 99 Subject: How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?

router bgp ##### no sync ! advertise your address block network 1.2.3.a mask 255.255.255.224 neighbor x.x.x.x remote-as x neighbor x.x.x.x filter-list 1 out neighbor x.x.x.x distribute-list 1 in neighbor y.y.y.y remote-as y

neighbor y.y.y.y filter-list 1 out neighbor y.y.y.y distribute-list 1 in ! IBGP between the two routers neighbor 1.2.3.b remote-as #####

! Only advertise locally-originated routes, not transit routes ip as-path access-list 1 permit ^$

! Only accept a default route access-list 1 permit 0.0.0.0 ************************************************************************* * From: Question 100 Subject: Should I turn off console loggin??

Crashinfo reads from the log buffer, not the console itself. If you want to have console messages included in crashinfo, you may turn on logging console BUT you also want to be sure logging buffered is on. Once logging buffered is on, console messages do not go to the physical console port and the interrupt problem is circumvented.

> My question is if it is good default practice to turn off console > logging or not?

You should turn it off unless you are using logging buffered. It is off by default in modern IOS versions.

>And on router (e.g. 7200 and 2600) that have console > logging disable, would it reduce the useful info on crashinfo file when > the router crashed?

Yes. But again, it will only save information from 'logging buffered.' So if you want the information, you can turn on logging console, but only if you also use logging buffered....