100 câu hỏi kỹ thuật về mạng cisco thuờng gặp

n is indeed significant end-to-end through the "cloud" between communicating DTE (router) equipment. Cisco encapsulation inserts an ethernet "type field" immediately after the 2 byte frame header which contains the DLCI, FECN, BECN, and DE fields. IETF (RFC 1490) encapsulation does not use ethernet type fields to identify the payload of the frame. Instead, IETF calls for the use of NLPID codes (Network Layer Protocol Identifiers) which are common in the OSI environment. NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP) The NLPID (CC, in the case of IP) will follow an Unnumbered Information UI control field, 03. If the payload does not have an NLPID assigned to it, (like IPX) then IETF suggests that an OUI field (organizationally unique identifier) followed by an ethernet type code (8137 for example, if IPX) will be used. Much like an 802.3 frame with SNAP, the type code of 8137 will be offset further into the frame, and not found immediately after the 2 byte frame header. This encapsulation must be understood by the communicating routers at either edge of the 'cloud.' The cloud itself does not care what type of "encapsulation" is being used. It is strictly a DTE-DTE issue. LMI is a link intergrity and PVC status verification protocol that IS locally significant between the router and the network interface. This protocol comes in 3 flavors: the 'original' Stratacom' (aka cisco) version, ANSI's T1.617 Annex D, and CCITT/ITU Q.933 Annex A. These protocols are often collectively referred to as "LMI." It is possible to run one version of LMI on the East User-Network Interface (UNI) and another version on the West UNI, as these protocols simply identify the status of the UNI link and the PVCs found on that link. Encapsulation, however, must match between the DTEs. It is interesting to note, however, that Cisco routers are smart enough to interpret the 'encapsulation' type being used on incoming frames. If both DTEs are Cisco routers, one router 'can' use Cisco encapsulation while the other router uses "IETF." The ability to communicate with Cisco routers using different encapsulation schemes gives the "appearance" that the encapsulation is locally significant. In fact, this (cisco) ability to communicate is made possible by the smarts cisco builds into its implementation. When any other vendor's DTE is involved, communications will fail if the "encapsulation" on both DTEs is not identical. Even if one of the routers is a cisco. (Unless, of course, the other vendor saw fit to build in the smarts that cisco has done. But I am not aware of any vendor that has this capability other than cisco....) Hex protocol traces are available if any one would like to see..... ************************************************************************* * From: Question 58 Subject: How do I make a T1 Cross-over cable? For *T1* I've used the following pinouts for crossovers: T1/E1 crossover (for PRI and CAS back-to-back connection): RJ-45 ----- RJ-45 1 ----- 4 2 ----- 5 4 ----- 1 5 ----- 2 RJ-45 ----- DB-15 1 ----- 1 2 ----- 9 4 ----- 3 5 ----- 11 DB-15 ----- DB-15 1 ----- 3 3 ----- 1 9 ----- 11 11 ----- 9 For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same as for T1, except that I guess you need to have pins 3 and 6 (shield/ground) connected. I don't suppose I should be pointing people to Juniper's web site, but anyway ... ************************************************************************* * From: Question 59 Subject: Can I use a router to simulate BRI switch? In current IOS (12.1(3)T and above, I think), you can configure PRIs back-to-back between routers: configure one side to be network side (isdn protocol-emulate network) and the other to be user side (default; isdn protocol-emulate user). The supported switchtypes are primary-net5 and primary-ni. As the original posting had alluded, we have SOME support for network-side BRI - but this is only on certain VIC cards due to hardware restrictions - /121limit/121x/121xi/121xi_3/dt_brint.htm ************************************************************************* * From: Question 60 Subject: How do I use Policy Based Routing? Keep in mind that Policy routing works on the INBOUND interface. If you think about it, it makes sense. The decision to hand off the packet has to be made as it's coming into the router and not on the egress interface. !Determine who's eligible to be policy routed ! access-list 1 permit 10.1.1.0 0.0.0.255 ! !Figure out where you want to send the pkts based on the source IP ! route-map RouteMeBaby permit 10 !To whom shoud this policy apply to? match ip address 1 ! !Where should you redirect it to? Should use both. If one is !omitted, the value will be retrived from the routing table - !which may or may not be what you wanted ! set ip next-hop ROUTER_2's_SERIAL_IP set interface s0 !interface E0 ip addr blah blah blah ip policy route-map RouteMeBaby ! If your IOS supports it, enable fast switching for PBR ip route-cache policy *IF* fast switching is supported (may be 11.3 an up or it could be 12.0 and up... do a sho ip cache policy if not, do a sho ip policy ************************************************************************* * From: Question 61 Subject: How do I setup a VPN tunnel using pre-shared keys? Dror-John is right. There is a LOT to know about when you get into encryption, and like any other branch of this industry knowing the hows & whys will help your configs and troubleshooting enormously. The CCO IPSec Product Support page has a wealth of useful info and examples. www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl? p=Internetworking:IPSec RFCs 2401-2412 are not too taxing either. I've added below a very basic example using pre-shared keys, DES encryption and SHA-1 hashing algorithm. Site 1 is 10.0.1.0/24, site 2 10.0.2.0/24 and the serial i/fs 10.0.4.0/30 (& assumes you have sub-i/fs). Names and things in capitals. Router1(config)# ! crypto isakmp policy 1 ! Define your ISAKMP policy settings group 2 ! 'group' defines the modulus for Diffie-Hellman calculation. ! Default is group 1, less CPU work, but less secure. authentication pre-share crypto isakmp key SHARED_KEY_HERE address 10.0.4.2 ! Your shared key, and what peer i/f it's used for. ! crypto ipsec transform-set TS1 ah-sha-hmac esp-des ! Define what happens to the traffic. AH & ESP are two IPSec protocols. ! crypto map TO_SITE_2 10 ipsec-isakmp ! Define crypto-map set peer 10.0.4.2 ! The other side set transform-set TS1 ! Which transform-set to use match address 150 ! What traffic to include ! interface Serial1/0.0 ip address 10.0.4.1 255.255.255.252 crypto map TO_SITE_2 ! Apply the crypto-map to the i/f ! access-list 150 permit ip 10.0.1.0 0.0.0.255 any ! Include traffic coming from here. I've said anything going out, for ! there may be places beyond Site 2, but Cisco says this can cause ! problems for multicast traffic. This also assumes no traffic will be ! going to Site 2 from somewhere else _through_ Site 1. Perhaps ! best to err on the more specific side. However it is a good idea ! to not include your serial i/fs, so you can still get at the far router ! if there's a problem. Router2(config)# ! crypto isakmp policy 1 group 2 authentication pre-share crypto isakmp key SHARED_KEY_HERE address 10.0.4.1 ! crypto ipsec transform-set TS1 ah-sha-hmac esp-des ! crypto map TO_SITE_1 10 ipsec-isakmp set peer 10.0.4.1 set transform-set TS1 match address 150 ! interface Serial1/0.0 ip address 10.0.4.2 255.255.255.252 crypto map TO_SITE_1 ! access-list 150 permit ip 10.0.2.0 0.0.0.255 any ************************************************************************* * From: Question 62 Subject: Why does one packet always get dropped on the last hop of traceroute? And the winner is ... Max. Inspired by (I think) sec. 4.3.2.8 in RFC-1812, we rate-limit our ICMP message generation to 1/sec/destination. This can be adjusted by the "ip icmp rate- limit unreachable" command. More interesting than simply causing an oddity for traceroute, ICMP rate-limiting can cause intermittent PMTUD blackholes (or I should say perhaps "PMTUD brownholes".) If you're doing PMTUD (as alas anyone running Windows defaults to), then you might want to ease the rate limit on DF unreachables. ************************************************************************* * From: Question 63 Subject: How to setup NATing based on outgoing interface to two different ISPs. > ISP1 CableModem > \ / > \ / > -------------- > Cisco 2621 > | --------------------------------- > | | > Firewall Mail Server > | > -------------------- > Company LAN > > We just installed a T1 to the Internet to co-exist with our Cablemodem. I > am looking at ways to implement this. We currently have a Cisco 2621 with > the T1 connection and a Linux Box Masqing cablemodem Internet access now. > My question is, what would be the best way to implement this? > > I proposed we connect the Cablemodem into the 2621 (FEthernet interface) > next to the T1 connection (separate ISP's btw) and NAT. That will work. But you need to use route-maps to match the outgoing interface (or next- hop) when you define your NAT pool. In a nutshell: int fa0/0 ip addr blah ip nat outside ! int fa0/1 ip addr blah ip nat outside ! ip nat poop ISP1 ISP1_Valid_range_here prefix-length blah ip nat pool Cable Cable_Valid_range_here prefix-length blah ! ! These uses below are allowed to use the NAT service. access-list 1 permit 10.0.0.0 0.255.255.255 !route-map ISP1 perm 10 match ip addr 1 match interface fa0/0 ! route-map Cable perm 10 match ip addr 1 match interfa fa0/1 ************************************************************************* * From: Question 64 Subject: Sample config of using VIC BRI interfaces as an ISDN switch. Enter this under stupid router tricks (it's got to be more expensive than an ISDN emulator, but not if you've got the parts lying around). Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should work too), IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x R1----S/T crossover cable----Switch----S/T crossover----R2 These configs let you do ISDN BRI dialup between two routers, using a third router as an ISDN switch. Call setup is flakey but otherwise it seems to work once the call is up. Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too) ! isdn switch-type basic-net3 x25 routing ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ! whatever ! interface BRI1/0 description to R1 no ip address isdn switch-type basic-net3 isdn overlap-receiving isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn x25 dchannel isdn skipsend-idverify ! ! Basic X.25 over D channel, so you can run pad commands ! For always on, see the Cisco docs ! interface BRI1/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5552000 clns mtu 1514 ! interface BRI1/1 description to R2 no ip address isdn switch-type basic-net3 isdn protocol-emulate network isdn layer1-emulate network isdn incoming-voice voice isdn skipsend-idverify ! interface BRI1/1:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551000 clns mtu 1514 !x25 route 5551111 interface BRI1/1:0 x25 route 5552222 interface BRI1/0:0 ! voice-port 1/0/0 ! voice-port 1/0/1 ! dial-peer voice 1 pots incoming called-number 6045551111 destination-pattern 6045552222 direct-inward-dial port 1/0/0 ! dial-peer voice 2 pots incoming called-number 6045552222 destination-pattern 6045551111 direct-inward-dial port 1/0/1 ! dial-peer voice 10 voip destination-pattern 6045552222 session target ipv4:10.0.0.1 codec clear-channel ! dial-peer voice 20 voip destination-pattern 6045551111 session target ipv4:10.0.0.1 codec clear-channel ! R1, R2 config (just reverse the 5551111/5552222 and 1.1.1.1/1.1.1.2) ! isdn switch-type basic-net3 ! interface BRI0/0 ip address 1.1.1.1 255.255.255.0 encapsulation ppp dialer string 6045552222 class DOV dialer-group 1 isdn switch-type basic-net3 isdn incoming-voice data isdn calling-number 6045551111 isdn x25 dchannel ! interface BRI0/0:0 no ip address ip mtu 1514 no ip mroute-cache x25 address 5551111 ! map-class dialer DOV dialer voice-call dialer-list 1 protocol ip permit ! ************************************************************************* * From: Question 65 Subject: What kind of memory does the 2500 use? Parity. 70ns, 72-pin FPM w/ tin leads. ************************************************************************* * From: Question 66 Subject: How do I make an Ethernet Cross-over cable? Try this as a crossover cable. 1 to 3 2 to 6 3 to 1 6 to 2 4 to 7 5 to 8 7 to 4 8 to 5 Basically in a traditional cross-over, which is a 10 BaseT and a 100 BaseTX, you are swapping the Green Pair with the Orange Pair, but not so commonly, you have a 100 BaseT4 cross-over cable (which just happens to also be a 1000 BaseT cross-over cable), not only do you swap over the Green and Orange Pair, but you also swap over the Blue and Brown Pair. The silly part is that in Cisco's Documentation, it show the schematic on a traditional cross- over cable, but you will see the pin-outs of the 1000BaseT Interface. /hgcable.htm#xtocid42327 I have just made comment to Cisco About this. ************************************************************************* * From: Question 67 Subject: How do I use NBAR to block NIMDA? See: > Here's my working config (with thanks to John Kaberna and Chris > Martin) on a 2610 router: > > > ip cef > > class-map match-any http-hacks > match protocol http url "*default.ida*" > match protocol http url "*x.ida*" > match protocol http url "*.ida*" > match protocol http url "*cmd.exe*" > match protocol http url "*root.exe*" > match protocol http url "*_vti_bin*" > match protocol http url "*_mem_bin*" > match protocol http mime "*readme.exe*" > match protocol http mime "*readme.eml*" >> policy-map mark-inbound-http-hacks > class http-hacks > set ip dscp 1 > > interface Serial0/0 > ip access-group 101 in > service-policy input mark-inbound-http-hacks > > interface Ethernet0/0 > ip access-group 101 out > > access-list 101 deny ip any any dscp 1 log > access-lst 101 permit ip any any ************************************************************************* * From: Question 68 Subject: What is a FECN/BECN and does it mean anything? First, when you use FR, it is not over a host to router connection. FR is going to be router to ingress-FR-switch through cloud to egress-FR-switch to destination-router. With that in mind, what you have to worry about with exceeding your CIR is the ingress FR switch. FECN and BECNs are different mechanisms which I will explain in a minute. Let me explain the algorithm that FR switches use to police your bandwidth usage. It is a token/credit system that is implemented on the *ingress* FR switch (so the ingress switch is the traffic cop). Keep in mind that everything that I am about to describe occurs entirely within the FR switch, so when I say that you are given tokens to transmit, I mean that in the software of the FR switch these tokens are kept track of, not that the FR switch transmits tokens to your router to use for each frame. I'm going to start with a simple scenario in which you only have a CIR and an EIR of 0. Anyway, every second (which is the default interval, or Tc for those that want the real term) you get Bc tokens which is essentially permission to transmit that many tokens worth of data over the time of that second. Bc tokens decrement against the CIR, which is to say that Bc tokens are used to regulate the CIR not the EIR (I will describe Be tokens later). At the end of the second you are given more tokens for use during the next second. Every time the FR switch receives data from the router, it subtracts tokens. What happens if you run out of tokens is that every frame will be discarded until the next interval at which point you get more tokens. If it receives a frame marked with a DE bit, it should discard it automatically. However, most people don't buy FR service with a EIR of zero. In this case where you have a CIR and an EIR, the token credit system is a little more complex. Every time interval (Tc) you get Bc tokens and Be tokens. In the case that you are not setting the DE on any frames, data received by the FR switch decrements credits from the Bc pool until exhausted. Suppose the FR switch now receives a frame but there are no Bc tokens left (you will get more Bc tokens in the next time interval) at the time. The FR switch will check for a Be token, and if you have one, it will mark the DE field and transmit the frame across the network and decrement tokens from the Be pool. Keep in mind that the Be pool represents your burst capabilities over and above the CIR. IOW, Be tokens keep track of the EIR and Bc tokens keep track of the CIR. Suppose the Be pool is exhausted and the Bc pool is exhausted and another frame arrives. It is dropped, period. At the next time interval you will get more Bc and Be tokens to use. What happens if you mark your own DE frames? Well, when the ingress FR switch receives a non DE-marked frame, it will subtract against the Bc token pool. If it receives a DE-marked frame, it will subtract against the Be token pool. If it receives a non DE- marked frame but there are no Bc tokens left, the FR switch will mark it DE, transmit it and subtract Be tokens. If it receives any frame (regardless of DE or non DE-marked) and there are no Bc or Be tokens left, the frame is dropped. So really the use of marking your own DE frames simply allows you to be the master of your own destiny by categorizing your own data intelligently instead of letting the FR switch do it based simply on the order of arrival. And the reason you want to mark your own packets has to do with how the network handles congestion (see below where I talk about BECN, etc.) A couple of points are worth making. First, you cannot accumulate tokens over time. There is a maximum amount which is the value of the committed burst (Bc) and this value has a mathematical relationship with the CIR (CIR = Bc/Tc also EIR = Be/Tc). In almost all cases Tc is set to 1 second, so the result is that CIR = Bc and EIR = Be. So if you have the maximum number of tokens in your Bc token pool (max amount = Bc), and you send no frames for the next hour, you will still only have Bc amount of tokens when you send the next frame. Second, the above description is not 100% accurate so don't use it to teach a class of newbie students. I simplified a number of things for the sake of getting the concepts across, and in the process I sacrificed the accuracy of some of the information. For instance, you don't get a lump of tokens all at once as I described--in reality, your tokens replenish gradually over the Tc interval. Third, you only need a single token (which represents a byte of data) to transmit a frame. So if you are out of Bc tokens and you only have one Be token left, even if you send a 1500 byte frame, it will still be transmitted as DE and the last token will be subtracted. Ok, so how does the FR network handle DE or non-DE frames? Different vendors of FR switches may be designed to operate differently, but I believe the following is the normal behavior. If a node within the cloud starts to experience *mild* congestion, it starts setting the FECN, BECN, or both bits on frames traversing the node. Routers connected to the FR cloud that receive BECN bits should slow their transmission by buffering frames and sending them slightly later. Routers that receive FECN bits might (if there is a way) signal the sending router to slow transmission by buffering its frames. If a node starts experiencing moderate congestion, it will start dropping frames marked DE. At heavy and severe congestion levels, the node will start dropping other traffic as well. Depending on vendor, there may be many levels of priority traffic (i.e. gold vs. bronze customers) to determine exactly which frames to drop before others when experiencing heavy and severe levels of congestion. >> Say I have a CIR of 512 Kbps. Say the users in the site are generating 2 >> Mbps data (internet surfing, email, etc) and I'm not using Discard >> Eligible(because I wouldn't know how to set that up anyway) >> >> Hear is my guesswork. The routers may try to send more than 256kbps. The >> switches will start sending FECN's and BECN's. They shouldn't start generating FECNs and BECNs unless some FR switch along the path is overloaded, and this (in theory) shouldn't happen since you are well below your CIR. IOW, the network should be engineered to be able to handle everyone's CIR on a statistical basis. If this were to happen on a regular basis, I would configure my router to ignore BECNs/FECNs because I am paying for a CIR of 512k, and I'll be darned if I'll let my NSP force my routers to throttle back when I am only using half of my CIR. They are "committing" to 512k, so I want my 512k, not "256k if the network feels like it". >> The routers will slow down sending rates. If a user is sending data to >> a router faster than it can route, what will it do? Does TCP Window sizes >> and acknowledgements between the PC's limit the rate at which the router >> will receive data, so that it is unlikely ever to be too busy? Remember that TCP windowing is an end-to-end mechanism, so routers in between aren't part of the equation. PC's rarely send data *to* a router, but rather *through* a router. So if a user is sending data through a router faster than it can route, the buffers in the router fill up, overflow, and packets get dropped, resulting in retransmissions, and therefore the starting over of the TCP windowing size. >> If data is dropped by the router using DE, will the TCP resend process >> between the PC's be the normal recovery process? Routers don't drop DE frames. That is a FR switch function, not a router function. But, yes, ultimately TCP is the process by which lost packets will be retransmitted. ************************************************************************* * From: Question 70 Subject: How do I stop logging (generating snmp trap) for up/down interfaces? Use the interface commands: no logging event link-status no snmp trap link-status ************************************************************************* * From: Question 71 Subject: How do I setup the variables to do tftpdnld in rommon? You can use tftp, if available ... if not no luck ... xmodem using console or another flash. and I think you can upgrade boot rom to support the command tftpdlnd but not sure about it: IP_ADDRESS=10.1.1.16 IP_SUBNET_MASK=255.255.255.0 DEFAULT_GATEWAY=10.1.1.2 TFTP_SERVER=10.1.1.2 TFTP_FILE=ios.bin FE_SPEED_MODE=0 TFTP_VERBOSE=1 tftpdnld -d ************************************************************************* * From: Question 72 Subject: What is the order of operation in terms how a packet is processed? From the book "Inside Cisco IOS Architechture": 1) compression/decompression 2) Encryption 3) Inbound ACL 4) Unicast revese path checking 5) Input rate limiting 6) Broadcast handling (ip helpers) 7) Decrement TTL 8) Inspect sybstem (FW features) 9) Outside to Inside NAT 10) Handle router alert flags in the IP header 11) Search for outbound interface in the routing table 12) Policy routing 13) Handel web cache redirects 14) Inside to Outside NAT 15) Encryption 16) Output ACL 17) Final Inspect check 18) TCP Intercept processing. ************************************************************************* * From: Question 73 Subject: What are the differnt T1 jack type codes? RJ48-BLAH where BLAH == "C" Identifies a surface or flushmounted jack. "W" Identifies a wallmounted jack. "S" Identifies a single-line jack. "M" Identifies a multi-line jack. "X" Identifies a complex multi-line or series-type jack. "X" variety can automatically loop up the line if you pull out the cable so it's usually call a "smartjack" ************************************************************************* * From: Question 74 Subject: How do I show just one interface's configuration? My all time favourite "trick" is "show run int xx"" where x is the interface in question ************************************************************************* * From: Question 75 Subject: How can I script a network reachability test? Today a trouble ticket was elevated to our design team. It seems a bunch of users are locking up while using Outlook with OpenMail servers. Not sure if it was network, Outlook, OpenMail server, or combination of the above. Since the users were somewhat senior level folks, it was not realistic to have to jot down detailed notes about when it happened etc. Since the PCs were all Wintel based, I wrote this in a hurry to include in their "START" menu. Not being able to use Unix tools pretty much tied my hands, and I didn't put in a lot of error checking, but hey, I only had about 30 minutes to whip this up. Although it's a bit simple hope you find it somewhat useful. ------ BEGIN BATCH FILE ---- TITLE TESTING THE NETWORK @echo off cls echo. echo. echo. echo. echo. echo ********************************************************** echo ********************************************************** echo ********************************************************** echo * * echo * * echo * Running network test........ * echo * This windows will close automatically when * echo * the testing has been completed. * echo * * echo * Please call XYZ at XYZ if you have any questions * echo * * echo * * echo ********************************************************** echo ********************************************************** echo ********************************************************** : : Create a temp folder for our use and start with some flower : box delimeters : if not exist c:\mailte$t md c:\mailte$t echo ***************************************>> c:\mailte$t\%username%.txt echo ***************************************>> c:\mailte$t\%username%.txt : : Pipe in some blank lines and date time stamp. echo. >> c:\mailte$t\%username%.txt echo.|date | find /i "current" >> c:\mailte$t\%username%.txt echo.|time | find /i "current" >> c:\mailte$t\%username%.txt echo. >> c:\mailte$t\%username%.txt : : Start a trace route w/o Rev-DNS lookups to our servers. : The server name is given as a command line argument. echo TRACE ROUTING TO %1 >>c:\mailte$t\%username%.txt tracert -d %1.blah.foobar.com >>c:\mailte$t\%username%.txt echo. >> c:\mailte$t\%username%.txt : : ping with max sized ICMP packets echo PINGING to %1 >>c:\mailte$t\%username%.txt : :!!!unwrap the next two lines!!! ping -L 1472 %1.blah.foobar.com | find /i "Reply from" >>c:\mailte$t\%username%.txt : echo. >> c:\mailte$t\%username%.txt echo. >> c:\mailte$t\%username%.txt : : Now ftp it to the 2.104 server using the script file : C:\ftpcmd.txt : ftp -s:c:\ftpcmd.txt x.x.2.104 exit Contents of ftpcmd.txt file: cisco cisco1 put c:\mailte$t\*.txt bye exit Basically, it's username password ftp command ftp command etc. etc. ************************************************************************* * From: Question 76 Subject: Where can I find a list of undocumented IOS commands? ************************************************************************* * From: Question 77 Subject: Where can I find information on securing or hardening Cisco routers? Cisco Router Hardening Step-by-Step Improving Security on Cisco Routers: Cisco PSIRT Advisories Cisco's Security Technical Tips Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Characterizing and Tracing Packet Floods Using Cisco Routers Denial of Service (DoS) Attack Resources ************************************************************************* * From: Question 78 Subject: How can I connect two Cisco routers back to back through the AUX ports? Connecting Routers Back-to-Back Through the AUX Ports Configuring AUX-to-AUX Port Async Backup with Dialer Watch Using the AUX Port on Cisco Routers for IP/IPX Router Communications ************************************************************************* *From: Question 79 Subject: How do I use Secure Shell (SSH) on Cisco devices? Configuring Secure Shell (SSH) on Cisco IOS® Routers How to Configure SSH on Catalyst Switches Running CatOS ************************************************************************* * From: Question 80 Subject: Can I use a /31 address space for my serial point-to-point interfaces? It depends. If you have 12.2.x release of IOS, you can use /31 address. For example: interface Serial5/1 ip address 192.168.1.1 255.255.255.254 See the following for more information: /122t2/ft31addr.htm ************************************************************************* * From: Question 81 Subject: How do i see log messages on the router console? Log messages are broken into 7 levels, and they can go to 3 places: - Console (console logging) - Monitor (any line configured with "monitor" or with the "terninal monitor" exec command) - trap (syslog) The command to turn up log messages is "logging (place) (level)" In your case, you probably want logging console informational for minumum messages or logging console debug for debugging messages. Tip: console logging is disabled by default because the console serial port makes 1 interrupt per character, and has the highest prioriy of any interrupt on the box. If you want to do console logging, you should probably also rate limit the messages, since an uncontrolled flood of messages to the console can literally cause the box to slow to a crawl and fail. In most cases, it is a better idea to telnet to the box, and debug using 'monitor' logging and "terminal monitor" on the vty. ************************************************************************* * From: Question 82 Subject: What is my overhead of using IPSec IPSec Overhead [ from another net posting ] esp-des = 24 bytes esp-3des = 24 bytes ah-sha-hmac = 24 bytes ah-md5-hmac = 24 bytes esp-md5-hmac = 12 bytes esp-sha-hmac = 12 bytes standard header = 20 bytes esp-des/esp-md5-hmac = 56 bytes esp-3des/esp-sha-hmac = 56 bytes esp-des/ah-sha-hmac = 68 bytes esp-des/ah-md5-hmac = 68 bytes esp-des/ah-sha-hmac/esp-sha-hmac = 80 bytes other gre = 24 bytes For example I use ESP over AH with a GRE tunnel in tunnel mode. 20 (IP header) + 24 (AH header) + 16 (ESP header) + 4 (GRE) +2 (ESP trailer) My MTU is 1500 - 66 = 1434 ************************************************************************* * From: Question 83 Subject: What is the pinout for the DB9 to RJ45 connector? ok, I just tested the pinouts of a DB9-RJ45 adapter that I have her...this is what I found: DB9 RJ45 1 - nothing 2 - 6 3 - 3 4 - 2 5 - 4&5 together 6 - 7 7 - 1 8 - 8 9 - nothing ************************************************************************* * From: Question 84 Subject: Should I use a T1, Cable modem or DSL for Internet connections? This question comes up often enough it probably should be in the FAQ. Each has its advantages and each has its weaknesses. Which is best will depend upon the specific business requirements and how the network is used. T1/E1 - Providers tend to treat T1's as serious business products. They tend to be better managed and service response to outages is usually quick. Data rate is a constant, if you order 1.544Mbps, you get 1.544 Mbps in both directions. (Note: fractional T1 may be available with asymmetric capacity provisioned). DSL - Providers consider this a "consumer grade" offering. Users experience has been more frequent outages. More important, response to failures that do occur tends to be slow, particularly if the local telco providing the copper is competing with the DSL provider. ADSL provides asymmetric data rates, but "business grade" offerings, such as IDSL and SDSL provide the same data rates both upstream and downstream. High data rates are only available to users close to the telephone central office. Cable - Shared medium subject to fluctuating bandwidth availability. Reliability will depend upon the local cable company, and can vary widely. On average, tends to be about as available as DSL. Only available in areas wired for cable TV, which could limit availability in business parks and other non-residencial areas. Also only available where the cable franchise has chosen to offer the service. Other Considerations (feel free to add ones I've missed) Provisioning of redundant connectivity for servers offered to the public versus internal users browsing the Internet versus VPNs for cost savings all have very different requirements and solutions suitable for one may not work with the others. BGP support for multihoming is typically only available on T1 links. But then again, if you're only surfing or VPNing there are easier ways to get redundancy that do not require BGP. In most markets, you can buy a lot of ISDN backup for the price difference between DSL/Cable and T1. Many DSL/Cable providers will block VPN and inbound traffic to your servers unless you purchase their premium "business" service. Make sure the conditions of service are compatible with your needs. DSL is rarely good backup for T1 because both share the same single points of failure in the telco local loop provisioning. Cable can provide more diversity as a backup, but may still be sharing common single points of failure such as power poles. ************************************************************************* * From: Question 85 Subject: How do I change the time length of 15 mins that is used when displaying the Show ISDN history command? You can try the command isdn-mib retain-timer ************************************************************************* * From: Question 86 Subject: Why do I see "double" characters when I telnet into my router? >I have a 2500 router, and it's display double commands as shown below. >cclloocckk rraattee 6644000000 >what can I do to fix it. Thanks. Looks to me like you have local echoing configured on your terminal emulator. Turn it off and let the router do all the echoing. ************************************************************************* * From: Question 87 Subject: How do I see power-supply failures via SNMP? you need two commands set snmp trap enable chassis set snmp trap (ip address of snmp host) (public community string) the first one tells the switch to send traps on chassis events, like a power supply failing. the second tells the switch where to send the trap ************************************************************************* * From: Question 88 Subject: How do I change the timer for tx/rxload when doing "show int" command? Interface command: load-interval IN_SECONDS ************************************************************************* * From: Question 89 Subject: How do I setup FR End-to-End keepalives? I believe so. Just so we're clear (to the original poster) bandwidth on demand is the ability to kick up a line when you reach a certain threshold. floating static can't be used since the lower admin-distance route will never get a chance to float up. FR e-t-e can be setup as follows: int s0/0 blah frame-relay class end-to-end-keepalive blah ! map-class frame-relay end-to-end-keepalive frame-relay end-to-end keepalive mode bidirectional ************************************************************************* * From: Question 90 Subject: How do I setup NAT and Port forwarding? int e0/0 desc This is the inside address using RFC address ip addr 10.1.1.1 255.255.255.0 ip nat inside ! int s0/0 desc This goes to the ISP using assigned address x.x.x.1/30 ip address x.x.x.1 255.255.255.252 ip nat outside ! ! Next line determines who will get to use the NAT ! Anyone coming from 10.1.1.0 address will be NATed. access-list 1 permit 10.1.1.0 0.0.0.255 ! ! Next line assumes that you want to use one IP for everyone ! and use the port address translation. In your case, you could ! actually use one to one translation. ! ip nat inside source list 1 interface serial0/0 overload ! !Set up a static translation so you can telnet into your server !Assume your server is at 10.1.1.5 ! ip nat inside source static tcp 10.1.1.5 23 x.x.x.1 23 ! !or forward http traffic to your 10.1.1.4 server ! ip nat inside source static tcp 10.1.1.4 80 x.x.x.1 80 ************************************************************************* *From: Question 91 Subject: How can I policy-route router generated packets? You need a 'ip local policy route-map ROUTE_MAP_NAME if you want traffic sourced from the router to go through policy (ie: pings). ************************************************************************* * From: Question 92 Subject: Is there another way to upload my IOS w/o a tftp server? Here's what I do when I need to upgrade a router's IOS and I don't have LAN or sync serial access to it for TFTP purposes. 1. Plug the following code into the router to configure it for PPP on the AUX port: interface Async1 ip address 192.168.255.254 255.255.255.252 encapsulation ppp no ip route-cache async default routing async mode dedicated ! ip default-gateway 192.168.255.253 !line con 0 line aux 0 no exec exec-timeout 0 0 modem InOut transport input all stopbits 1 rxspeed 38400 txspeed 38400 flowcontrol hardware 2. Configure a "dialup networking" entry on my Windows PC using the ULL-MODEM driver available from the following Cisco URL: Configure the dialup networking entry to use 192.168.255.253 as the IP ddress of the dialing interface. 3. Start up the TFTP server on my Windows PC. 4. Connect to the router from my Windows PC using the dialup networking entry 5. Open up the router console and use regular TFTP commands to pull the mage across. Depending on what family of router you have (2500, 2600) your AUX port will accommodate up to 38400 (older families) or 115200 (newer families). ************************************************************************* * From: Question 93 Subject: What does the keyword EXTENDABLE mean when doing NAT? From: "Extendable" static translations: The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address. ip nat inside source static extendable Some customers want to use more than one service provider and translate into each provider's address space. You can use route-maps to base the selection of global address pool on output interface as well as an access-list match. Following is an example: ip nat pool provider1-space ... ip nat pool provider2-space ... ip nat inside source route-map provider1-map pool provider1-space ip nat inside source route-map provider2-map pool provider2-space ! route-map provider1-map permit 10 match ip address 1 match interface Serial0/0 !route-map provider2-map permit 10 match ip address 1 match interface Serial0/1 . . . Once that is working, they might also want to define static mappings for a particular host using each provider's address space. The software does not allow two static translations with the same local address, though, because it is ambiguous from the inside. The router will accept these static translations and resolve the ambiguity by creating full translations (all addresses and ports) if the static translations are marked as "extendable". For a new outside-to-inside flow, the appropriate static entry will act as a template for a full translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to create a full translation. ************************************************************************* * From: Question 94 Subject: Where can I get some third party icons for my Visio program? Check out www.altimatech.com they sell a product called netzoom that has a great cisco library that they keep up to date, they even take requests! ************************************************************************* * From: Question 95 Subject: Can you help me interpret the output fomr "Looking Glass" (BGP?) >I am learning BGP. >I notice a lot of our engineers where I work use looking glass at >www.traceroute.org to get answers to a lot of their questions. >Unfortunately it's hard to get them to give me a seminar. >Looking glass isn't covered in my cisco press books. >I am having a hard time grasping when I would need to use looking >glass. >and particularly how to use it. > >I put in an ameritrade address and it gives me the following. > >Query: bgp >Addr: 64.236.2.194 >BGP routing table entry for 64.236.0.0/16, version 89281795 >Paths: (2 available, best #2) > Not advertised to any peer > 1668 > 66.185.128.93 (metric 445601) from 165.117.1.194 (165.117.1.194) > Origin IGP, metric 4294967294, localpref 105, valid, internal > Community: 2548:177 2548:209 2548:666 3706:115 > 1668 > 66.185.128.51 (metric 410701) from 165.117.1.166 (165.117.1.166) > Origin IGP, metric 4294967294, localpref 105, valid, internal, >best > Community: 2548:177 2548:317 2548:666 3706:164 > > >What peer problems would arise where I may need this information? >especially considering I would need to have a peer address to put in >in the first place. This is usually used to confirm that a route is being advertised by the proper ISP. You don't put peer addresses in, you put destination network addresses in. >I see there are communities. not sure who the community members are or >what the parameters contained in the community attribs are. Any way to >find out? Most communities don't have standard meanings. Each AS assigns meanings to the communities that it cares about. By convention, communities are formed by concatenating the ASN that's using the community with a second number that the AS network administrators assign, so the communities shown above are meaningful to AS 2548 and AS 3706. Communities are often used by ISPs to allow their customers to influence routing parameters; for instance, the customer can often send communities that control what localpref the ISP assigns to the routes. >Any good hints/web-links on how to use or get the most out of the >looking glass site would be appreciated. There's nothing really special about the looking glass, it's just showing you the output of "show ip bgp" (and other router commands). It's no different from doing it on your own routers, but the looking glass lets you do it from outside your network, so you can tell whether a problem is specific to your network or more widespread. >Thank you for that enlightening input. >This time I queried. >Query: bgp >Addr: 216.202.0.0 >It is a Genuity address. > >Here is the output below. >Could someone explain >" Advertised to non peer-group peers: > 198.32.187.122 " this belongs to : Exchange Point Blocks (NET-EP-) That's a BGP neighbor of the looking glass router, which the router will share this route with. >Also Genuity actually owns AS number "1" (Very prestigious). >from the first entry >"4.24.7.77 (metric 345601) from 165.117.1.127" > it looks like Genuity 4.24.x.x is learning this from Digex >165.117.1.127 >Why would Genuity learn their own address from Digex. No, it means that *this* router (Digex's router at MAE-EAST) learned the route from 165.117.1.127. Since Digex doesn't connect to Genuity at MAE-EAST (tier 1 ISPs use private peering amongst each other, we only use the public exchanges to connect with smaller ISPs), it has to learn Genuity routes via the Digex backbone. >Also could I assume that just because there is no path with AOL in it >that AOL doesn't have a path to them? No. The looking glass is just showing the routes from Digex to the destination. Why would traffic from Digex to Genuity go through AOL? ************************************************************************* * From: Question 96 Subject: When using Tunnel with an interface that has an ACL, what happens? >I'm doing an IP tunnel between 2 routers with the command >interface tunnel which has the ethernet0 source. >Is the access-list applied on the ethernet0 inbound although filter the >tunnel traffic ? Yes. When traffic arrives, it will first be processed by the ethernet interface's inbound access list. If it is permitted in, the router will then de-encapsulate the tunnel traffic, and it will be processed by the tunnel interface's inbound access list. ************************************************************************* * From: Question 97 Subject: Do I need a Xover cable when using 1000Base-T? Answer by: rich@richseifert.com (Rich Seifert) > It guess it depends on the 1000baseT NICs. On mine, I've used both a > crossover cable and a stright thru cable just fine to connect two NICs. > They autonegotiate Correct. First of all, 1000BASE-T *requires* Auto-Negotiation; it isn't designed to work without it. Second, most 1000BASE-T equipment implements a function that detects whether the cable is straight-through or crossover, and automatically configures itself to work either way. (During the startup training, it can tell how the pairs are connected, and connect each pair to the appropriate decoder module.) ************************************************************************* * From: Question 98 Subject: How dow I break the "Rule of Ten" for BGP Load balancing? Answer by: "Cajun" That's not true. BGP WILL join two lines AND load balance across them. The trick is, you have to make every single one of the "Rule of Ten" rules equal; which is not a difficult thing to do. Weights, MED's, Local Prefence, AS-Path, etc, will all most likely be identical, provided both T1's come from the same provider (yes, I know he said they're different providers.) You can load-balance with BGP across two links, provided the links terminate on the same router on both end. With everything else being equal, BGP will snag on the last rule, using the IP address of the interfaces to decide which path to take. All you have to do is break that last rule and you're home free. Here's how you do it: 1) Place static routes on each router pointing across each link to get to the other's loopback address. 2) Set up your neighbor statements with each other's loopback address. 3) Put in a neighbor statement with an update-source of your loopback address. 4) Enter another neighbor statement with ebgp-multihop. BAM! You're done. You've just now broken the "Rule of Ten." BGP will have no choice but to enter two routes into the routing table, which will load balance. ************************************************************************* * From: Question 99 Subject: How do I only accept a 0/0 Route but advertise my 30 addresses via BGP? router bgp ##### no sync ! advertise your address block network 1.2.3.a mask 255.255.255.224 neighbor x.x.x.x remote-as x neighbor x.x.x.x filter-list 1 out neighbor x.x.x.x distribute-list 1 in neighbor y.y.y.y remote-as y neighbor y.y.y.y filter-list 1 out neighbor y.y.y.y distribute-list 1 in ! IBGP between the two routers neighbor 1.2.3.b remote-as ##### ! Only advertise locally-originated routes, not transit routes ip as-path access-list 1 permit ^$ ! Only accept a default route access-list 1 permit 0.0.0.0 ************************************************************************* * From: Question 100 Subject: Should I turn off console loggin?? Crashinfo reads from the log buffer, not the console itself. If you want to have console messages included in crashinfo, you may turn on logging console BUT you also want to be sure logging buffered is on. Once logging buffered is on, console messages do not go to the physical console port and the interrupt problem is circumvented. > My question is if it is good default practice to turn off console > logging or not? You should turn it off unless you are using logging buffered. It is off by default in modern IOS versions. >And on router (e.g. 7200 and 2600) that have console > logging disable, would it reduce the useful info on crashinfo file when > the router crashed? Yes. But again, it will only save information from 'logging buffered.' So if you want the information, you can turn on logging console, but only if you also use logging buffered....