From: Question 1
Subject: What does ``cisco'' stand for?
cisco folklore time:
At one point in time, the first letter in cisco Systems was a lowercase ``c''. At present,
various factions within the company have adopted a capital ``C'', while fierce traditionalists
(as well as some others) continue to use the lowercase variant, as does the cisco Systems
logo. This FAQ has chosen to use the lowercase variant throughout.
125 trang |
Chia sẻ: tlsuongmuoi | Lượt xem: 2393 | Lượt tải: 1
Bạn đang xem trước 20 trang tài liệu 100 câu hỏi kỹ thuật về mạng cisco thuờng gặp, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
n is indeed significant end-to-end
through the "cloud" between communicating DTE (router) equipment. Cisco encapsulation
inserts an ethernet "type field" immediately after the 2 byte frame header which contains the
DLCI, FECN, BECN, and DE fields. IETF (RFC 1490) encapsulation does not use ethernet
type fields to identify the payload of the frame. Instead, IETF calls for the use of NLPID
codes (Network Layer Protocol Identifiers) which are common in the OSI environment.
NLPIDs are to be used when the payload has an NLPID assigned to it.(like IP) The NLPID
(CC, in the case of IP) will follow an Unnumbered Information UI control field, 03. If the
payload does not have an NLPID assigned to it, (like IPX) then IETF suggests that an OUI
field (organizationally unique identifier) followed by an ethernet type code (8137 for
example, if IPX) will be used. Much like an 802.3 frame with SNAP, the type code of 8137
will be offset further into the frame, and not found immediately after the 2 byte frame
header.
This encapsulation must be understood by the communicating routers at either edge of the
'cloud.' The cloud itself does not care what type of "encapsulation" is being used. It is
strictly a DTE-DTE issue.
LMI is a link intergrity and PVC status verification protocol that IS locally significant
between the router and the network interface. This protocol comes in 3 flavors: the
'original' Stratacom' (aka cisco) version, ANSI's T1.617 Annex D, and CCITT/ITU Q.933
Annex A. These protocols are often collectively referred to as "LMI." It is possible to run
one version of LMI on the East User-Network Interface (UNI) and another version on the
West UNI, as these protocols simply identify the status of the UNI link and the PVCs found
on that link. Encapsulation, however, must match between the DTEs. It is interesting to
note, however, that Cisco routers are smart enough to interpret the 'encapsulation' type
being used on incoming frames. If both DTEs are Cisco routers, one router 'can' use Cisco
encapsulation while the other router uses "IETF." The ability to communicate with Cisco
routers using different encapsulation schemes gives the "appearance" that the encapsulation
is locally significant. In fact, this (cisco) ability to
communicate is made possible by the smarts cisco builds into its implementation.
When any other vendor's DTE is involved, communications will fail if the "encapsulation"
on both DTEs is not identical. Even if one of the routers is a cisco. (Unless, of course, the
other vendor saw fit to build in the smarts that cisco has done. But I am not aware of any
vendor that has this capability other than cisco....)
Hex protocol traces are available if any one would like to see.....
*************************************************************************
*
From: Question 58
Subject: How do I make a T1 Cross-over cable?
For *T1* I've used the following pinouts for crossovers:
T1/E1 crossover (for PRI and CAS back-to-back connection):
RJ-45 ----- RJ-45
1 ----- 4
2 ----- 5
4 ----- 1
5 ----- 2
RJ-45 ----- DB-15
1 ----- 1
2 ----- 9
4 ----- 3
5 ----- 11
DB-15 ----- DB-15
1 ----- 3
3 ----- 1
9 ----- 11
11 ----- 9
For E1 (assuming RJ-48 aka RJ-45), the pinouts would be the same as for T1, except that I
guess you need to have pins 3 and 6 (shield/ground) connected.
I don't suppose I should be pointing people to Juniper's web site, but anyway ...
*************************************************************************
*
From: Question 59
Subject: Can I use a router to simulate BRI switch?
In current IOS (12.1(3)T and above, I think), you can configure PRIs back-to-back between
routers: configure one side to be network side (isdn protocol-emulate network) and the other
to be user side (default; isdn protocol-emulate user). The supported switchtypes are
primary-net5
and primary-ni.
As the original posting had alluded, we have SOME support for network-side BRI - but this
is only on certain VIC cards due to hardware restrictions -
/121limit/121x/121xi/121xi_3/dt_brint.htm
*************************************************************************
*
From: Question 60
Subject: How do I use Policy Based Routing?
Keep in mind that Policy routing works on the INBOUND interface. If you think about it, it
makes sense. The decision to hand off the packet has to be made as it's coming into the
router and not on the egress interface.
!Determine who's eligible to be policy routed
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!Figure out where you want to send the pkts based on the source IP
!
route-map RouteMeBaby permit 10
!To whom shoud this policy apply to?
match ip address 1
!
!Where should you redirect it to? Should use both. If one is
!omitted, the value will be retrived from the routing table -
!which may or may not be what you wanted
!
set ip next-hop ROUTER_2's_SERIAL_IP
set interface s0
!interface E0
ip addr blah blah blah
ip policy route-map RouteMeBaby
! If your IOS supports it, enable fast switching for PBR
ip route-cache policy
*IF* fast switching is supported (may be 11.3 an up or it could be 12.0
and up... do a
sho ip cache policy
if not, do a
sho ip policy
*************************************************************************
*
From: Question 61
Subject: How do I setup a VPN tunnel using pre-shared keys?
Dror-John is right. There is a LOT to know about when you get into encryption, and like
any other branch of this industry knowing the hows & whys will help your configs and
troubleshooting enormously. The CCO IPSec Product Support page has a wealth of useful
info and examples. www.cisco.com/pcgi-bin/Support/PSP/psp_view.pl?
p=Internetworking:IPSec
RFCs 2401-2412 are not too taxing either. I've added below a very basic example using
pre-shared keys, DES encryption and SHA-1 hashing algorithm. Site 1 is 10.0.1.0/24, site 2
10.0.2.0/24 and the serial i/fs 10.0.4.0/30 (& assumes you have sub-i/fs). Names and things
in capitals.
Router1(config)#
!
crypto isakmp policy 1
! Define your ISAKMP policy settings
group 2
! 'group' defines the modulus for Diffie-Hellman calculation.
! Default is group 1, less CPU work, but less secure.
authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.2
! Your shared key, and what peer i/f it's used for.
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
! Define what happens to the traffic. AH & ESP are two IPSec protocols.
!
crypto map TO_SITE_2 10 ipsec-isakmp
! Define crypto-map
set peer 10.0.4.2
! The other side
set transform-set TS1
! Which transform-set to use
match address 150
! What traffic to include
!
interface Serial1/0.0
ip address 10.0.4.1 255.255.255.252
crypto map TO_SITE_2
! Apply the crypto-map to the i/f
!
access-list 150 permit ip 10.0.1.0 0.0.0.255 any
! Include traffic coming from here. I've said anything going out, for
! there may be places beyond Site 2, but Cisco says this can cause
! problems for multicast traffic. This also assumes no traffic will be
! going to Site 2 from somewhere else _through_ Site 1. Perhaps
! best to err on the more specific side. However it is a good idea
! to not include your serial i/fs, so you can still get at the far router
! if there's a problem.
Router2(config)#
!
crypto isakmp policy 1
group 2
authentication pre-share
crypto isakmp key SHARED_KEY_HERE address 10.0.4.1
!
crypto ipsec transform-set TS1 ah-sha-hmac esp-des
!
crypto map TO_SITE_1 10 ipsec-isakmp
set peer 10.0.4.1
set transform-set TS1
match address 150
!
interface Serial1/0.0
ip address 10.0.4.2 255.255.255.252
crypto map TO_SITE_1
!
access-list 150 permit ip 10.0.2.0 0.0.0.255 any
*************************************************************************
*
From: Question 62
Subject: Why does one packet always get dropped on the last hop of traceroute?
And the winner is ... Max. Inspired by (I think) sec. 4.3.2.8 in RFC-1812, we rate-limit our
ICMP message generation to 1/sec/destination. This can be adjusted by the "ip icmp rate-
limit unreachable" command. More interesting than simply causing an oddity for traceroute,
ICMP rate-limiting can cause intermittent PMTUD blackholes (or I should say perhaps
"PMTUD brownholes".) If you're doing PMTUD (as alas anyone running Windows
defaults to), then you might want to ease the rate limit on DF unreachables.
*************************************************************************
*
From: Question 63
Subject: How to setup NATing based on outgoing interface to two different ISPs.
> ISP1 CableModem
> \ /
> \ /
> --------------
> Cisco 2621
> |
---------------------------------
> | |
> Firewall Mail Server
> |
> --------------------
> Company LAN
> > We just installed a T1 to the Internet to co-exist with our Cablemodem. I
> am looking at ways to implement this. We currently have a Cisco 2621 with
> the T1 connection and a Linux Box Masqing cablemodem Internet access now.
> My question is, what would be the best way to implement this?
>
> I proposed we connect the Cablemodem into the 2621 (FEthernet interface)
> next to the T1 connection (separate ISP's btw) and NAT.
That will work. But you need to use route-maps to match the outgoing interface (or next-
hop) when you define your NAT pool. In a nutshell:
int fa0/0
ip addr blah
ip nat outside
!
int fa0/1
ip addr blah
ip nat outside
!
ip nat poop ISP1 ISP1_Valid_range_here prefix-length blah
ip nat pool Cable Cable_Valid_range_here prefix-length blah
!
! These uses below are allowed to use the NAT service.
access-list 1 permit 10.0.0.0 0.255.255.255
!route-map ISP1 perm 10
match ip addr 1
match interface fa0/0
!
route-map Cable perm 10
match ip addr 1
match interfa fa0/1
*************************************************************************
*
From: Question 64
Subject: Sample config of using VIC BRI interfaces as an ISDN switch.
Enter this under stupid router tricks (it's got to be more expensive than an ISDN emulator,
but not if you've got the parts lying around).
Switch: Cisco 2600 or 3600 with NM-2V and VIC-2BRI-S/T-TE (NT should work too),
IOS 12.1.5T9 R1, R2: Cisco with ISDN BRI S/T interface. IOS 12.x
R1----S/T crossover cable----Switch----S/T crossover----R2
These configs let you do ISDN BRI dialup between two routers, using a third router as an
ISDN switch. Call setup is flakey but otherwise it seems to work once the call is up.
Switch config, for ISDN dial (and X.25 over ISDN D-channel thrown in too)
!
isdn switch-type basic-net3
x25 routing
!
interface Loopback0
ip address 10.0.0.1 255.255.255.255 ! whatever
!
interface BRI1/0
description to R1
no ip address
isdn switch-type basic-net3
isdn overlap-receiving
isdn protocol-emulate network
isdn layer1-emulate network
isdn incoming-voice voice
isdn x25 dchannel
isdn skipsend-idverify
!
! Basic X.25 over D channel, so you can run pad commands
! For always on, see the Cisco docs
!
interface BRI1/0:0
no ip address
ip mtu 1514
no ip mroute-cache
x25 address 5552000
clns mtu 1514
!
interface BRI1/1
description to R2
no ip address
isdn switch-type basic-net3
isdn protocol-emulate network
isdn layer1-emulate network
isdn incoming-voice voice
isdn skipsend-idverify
!
interface BRI1/1:0
no ip address
ip mtu 1514
no ip mroute-cache
x25 address 5551000
clns mtu 1514
!x25 route 5551111 interface BRI1/1:0
x25 route 5552222 interface BRI1/0:0
!
voice-port 1/0/0
!
voice-port 1/0/1
!
dial-peer voice 1 pots
incoming called-number 6045551111
destination-pattern 6045552222
direct-inward-dial
port 1/0/0
!
dial-peer voice 2 pots
incoming called-number 6045552222
destination-pattern 6045551111
direct-inward-dial
port 1/0/1
!
dial-peer voice 10 voip
destination-pattern 6045552222
session target ipv4:10.0.0.1
codec clear-channel
!
dial-peer voice 20 voip
destination-pattern 6045551111
session target ipv4:10.0.0.1
codec clear-channel
!
R1, R2 config (just reverse the 5551111/5552222 and 1.1.1.1/1.1.1.2)
!
isdn switch-type basic-net3
!
interface BRI0/0
ip address 1.1.1.1 255.255.255.0
encapsulation ppp
dialer string 6045552222 class DOV
dialer-group 1
isdn switch-type basic-net3
isdn incoming-voice data
isdn calling-number 6045551111
isdn x25 dchannel
!
interface BRI0/0:0
no ip address
ip mtu 1514
no ip mroute-cache
x25 address 5551111
!
map-class dialer DOV
dialer voice-call
dialer-list 1 protocol ip permit
!
*************************************************************************
*
From: Question 65
Subject: What kind of memory does the 2500 use?
Parity. 70ns, 72-pin FPM w/ tin leads.
*************************************************************************
*
From: Question 66
Subject: How do I make an Ethernet Cross-over cable?
Try this as a crossover cable.
1 to 3
2 to 6
3 to 1
6 to 2
4 to 7
5 to 8
7 to 4
8 to 5
Basically in a traditional cross-over, which is a 10 BaseT and a 100 BaseTX, you are
swapping the Green Pair with the Orange Pair, but not so commonly, you have a 100
BaseT4 cross-over cable (which just happens to also be a 1000 BaseT cross-over cable), not
only do you swap over the Green and Orange Pair, but you also swap over the Blue and
Brown Pair.
The silly part is that in Cisco's Documentation, it show the schematic on a traditional cross-
over cable, but you will see the pin-outs of the 1000BaseT Interface.
/hgcable.htm#xtocid42327
I have just made comment to Cisco About this.
*************************************************************************
*
From: Question 67
Subject: How do I use NBAR to block NIMDA?
See:
> Here's my working config (with thanks to John Kaberna and Chris
> Martin) on a 2610 router:
>
>
> ip cef
>
> class-map match-any http-hacks
> match protocol http url "*default.ida*"
> match protocol http url "*x.ida*"
> match protocol http url "*.ida*"
> match protocol http url "*cmd.exe*"
> match protocol http url "*root.exe*"
> match protocol http url "*_vti_bin*"
> match protocol http url "*_mem_bin*"
> match protocol http mime "*readme.exe*"
> match protocol http mime "*readme.eml*"
>> policy-map mark-inbound-http-hacks
> class http-hacks
> set ip dscp 1
>
> interface Serial0/0
> ip access-group 101 in
> service-policy input mark-inbound-http-hacks
>
> interface Ethernet0/0
> ip access-group 101 out
>
> access-list 101 deny ip any any dscp 1 log
> access-lst 101 permit ip any any
*************************************************************************
*
From: Question 68
Subject: What is a FECN/BECN and does it mean anything?
First, when you use FR, it is not over a host to router connection. FR is going to be router to
ingress-FR-switch through cloud to egress-FR-switch to destination-router. With that in
mind, what you have to worry about with exceeding your CIR is the ingress FR switch.
FECN and BECNs are different mechanisms which I will explain in a minute.
Let me explain the algorithm that FR switches use to police your bandwidth usage. It is a
token/credit system that is implemented on the *ingress* FR switch (so the ingress switch is
the traffic cop). Keep in mind that everything that I am about to describe occurs entirely
within the FR switch, so when I say that you are given tokens to transmit, I mean that in the
software of the FR switch these tokens are kept track of, not that the FR switch transmits
tokens to your router to use for each frame. I'm going to start with a simple scenario in
which you only have a CIR and an EIR of 0. Anyway, every second (which is the default
interval, or Tc for those that want the real term) you get Bc tokens which is essentially
permission to transmit that many tokens worth of data over the time of that second.
Bc tokens decrement against the CIR, which is to say that Bc tokens are used to regulate the
CIR not the EIR (I will describe Be tokens later). At the end of the second you are given
more tokens for use during the next second. Every time the FR switch receives data from
the router, it subtracts tokens. What happens if you run out of tokens is that every frame
will be discarded until the next interval at which point you get more tokens. If it receives a
frame marked with a DE bit, it should discard it automatically.
However, most people don't buy FR service with a EIR of zero. In this case where you
have a CIR and an EIR, the token credit system is a little more complex. Every time
interval (Tc) you get Bc tokens and Be tokens. In the case that you are not setting the DE
on any frames, data received by the FR switch decrements credits from the Bc pool until
exhausted. Suppose the FR switch now receives a frame but there are no Bc tokens left
(you will get more Bc tokens in the next time interval) at the time. The FR switch will
check for a Be token, and if you have one, it will mark the DE field and transmit the frame
across the network and decrement tokens from the Be pool. Keep in mind that the Be pool
represents your burst capabilities over and above the CIR. IOW, Be tokens keep track of
the EIR and Bc tokens keep track of the CIR. Suppose the Be pool is exhausted and the Bc
pool is exhausted and another frame arrives. It is dropped, period. At the next time interval
you will get more Bc and Be tokens to use.
What happens if you mark your own DE frames? Well, when the ingress FR switch
receives a non DE-marked frame, it will subtract against the Bc token pool. If it receives a
DE-marked frame, it will subtract against the Be token pool. If it receives a non DE-
marked frame but there are no Bc tokens left, the FR switch will mark it DE, transmit it and
subtract Be tokens. If it receives any frame (regardless of DE or non DE-marked) and there
are no Bc or Be tokens left, the frame is dropped. So really the use of marking your own
DE frames simply allows you to be the master of your own destiny by categorizing your
own data intelligently instead of letting the FR switch do it based simply on the order of
arrival. And the reason you want to mark your
own packets has to do with how the network handles congestion (see below where I talk
about BECN, etc.)
A couple of points are worth making. First, you cannot accumulate tokens over time.
There is a maximum amount which is the value of the committed burst (Bc) and this value
has a mathematical relationship with the CIR (CIR = Bc/Tc also EIR = Be/Tc). In almost
all cases Tc is set to 1 second, so the result is that CIR = Bc and EIR = Be. So if you have
the maximum number of tokens in your Bc token pool (max amount = Bc), and you send no
frames for the next hour, you will still only have Bc amount of tokens when you send the
next frame. Second, the above description is not 100% accurate so don't use it to teach a
class of newbie students. I simplified a number of things for the sake of getting the
concepts across, and in the process I sacrificed the accuracy of some of the information.
For instance, you don't get a lump of tokens all at once as I described--in reality, your
tokens replenish gradually over the Tc interval. Third, you only need a single token (which
represents a byte of data) to transmit a frame. So if you are out of Bc tokens and you only
have one Be token left, even if you send a 1500 byte frame, it will still be transmitted as DE
and the last token will be subtracted.
Ok, so how does the FR network handle DE or non-DE frames? Different vendors of FR
switches may be designed to operate differently, but I believe the following is the normal
behavior. If a node within the cloud starts to experience *mild* congestion, it starts setting
the FECN, BECN, or both bits on frames traversing the node. Routers connected to the FR
cloud that receive BECN bits should slow their transmission by buffering frames and
sending them slightly later. Routers that receive FECN bits might (if there is a way) signal
the sending router to slow transmission by buffering its frames. If a node starts
experiencing moderate congestion, it will start dropping frames marked DE. At heavy and
severe congestion levels, the node will start dropping other traffic as well. Depending on
vendor, there may be many levels of priority traffic (i.e. gold vs.
bronze customers) to determine exactly which frames to drop before others when
experiencing heavy and severe levels of congestion.
>> Say I have a CIR of 512 Kbps. Say the users in the site are generating 2
>> Mbps data (internet surfing, email, etc) and I'm not using Discard
>> Eligible(because I wouldn't know how to set that up anyway)
>>
>> Hear is my guesswork. The routers may try to send more than 256kbps. The
>> switches will start sending FECN's and BECN's.
They shouldn't start generating FECNs and BECNs unless some FR switch along the path is
overloaded, and this (in theory) shouldn't happen since you are well below your CIR. IOW,
the network should be engineered to be able to handle everyone's CIR on a statistical basis.
If this were to happen on a regular basis, I would configure my router to ignore
BECNs/FECNs because I am paying for a CIR of 512k, and I'll be darned if I'll let my NSP
force my routers to throttle back when I am only using half of my CIR. They are
"committing" to 512k, so I want my 512k, not "256k if the network feels like it".
>> The routers will slow down sending rates. If a user is sending data to
>> a router faster than it can route, what will it do? Does TCP Window sizes
>> and acknowledgements between the PC's limit the rate at which the router
>> will receive data, so that it is unlikely ever to be too busy?
Remember that TCP windowing is an end-to-end mechanism, so routers in between aren't
part of the equation. PC's rarely send data *to* a router, but rather *through* a router. So
if a user is sending data through a router faster than it can route, the buffers in the router fill
up, overflow, and packets get dropped, resulting in retransmissions, and therefore the
starting over of the TCP windowing size.
>> If data is dropped by the router using DE, will the TCP resend process
>> between the PC's be the normal recovery process?
Routers don't drop DE frames. That is a FR switch function, not a router function. But,
yes, ultimately TCP is the process by which lost packets will be retransmitted.
*************************************************************************
*
From: Question 70
Subject: How do I stop logging (generating snmp trap) for up/down interfaces?
Use the interface commands:
no logging event link-status
no snmp trap link-status
*************************************************************************
*
From: Question 71
Subject: How do I setup the variables to do tftpdnld in rommon?
You can use tftp, if available ... if not no luck ... xmodem using console or another flash.
and I think you can upgrade boot rom to support the command tftpdlnd but not sure about it:
IP_ADDRESS=10.1.1.16
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=10.1.1.2
TFTP_SERVER=10.1.1.2
TFTP_FILE=ios.bin
FE_SPEED_MODE=0
TFTP_VERBOSE=1
tftpdnld -d
*************************************************************************
*
From: Question 72
Subject: What is the order of operation in terms how a packet is processed?
From the book "Inside Cisco IOS Architechture":
1) compression/decompression
2) Encryption
3) Inbound ACL
4) Unicast revese path checking
5) Input rate limiting
6) Broadcast handling (ip helpers)
7) Decrement TTL
8) Inspect sybstem (FW features)
9) Outside to Inside NAT
10) Handle router alert flags in the IP header
11) Search for outbound interface in the routing table
12) Policy routing
13) Handel web cache redirects
14) Inside to Outside NAT
15) Encryption
16) Output ACL
17) Final Inspect check
18) TCP Intercept processing.
*************************************************************************
*
From: Question 73
Subject: What are the differnt T1 jack type codes?
RJ48-BLAH where BLAH ==
"C" Identifies a surface or flushmounted jack.
"W" Identifies a wallmounted jack.
"S" Identifies a single-line jack.
"M" Identifies a multi-line jack.
"X" Identifies a complex multi-line or series-type jack.
"X" variety can automatically loop up the line if you pull out the cable
so it's usually call a "smartjack"
*************************************************************************
*
From: Question 74
Subject: How do I show just one interface's configuration?
My all time favourite "trick" is "show run int xx"" where x is the interface in question
*************************************************************************
*
From: Question 75
Subject: How can I script a network reachability test?
Today a trouble ticket was elevated to our design team. It seems a bunch of users are
locking up while using Outlook with OpenMail servers. Not sure if it was network,
Outlook, OpenMail server, or combination of the above. Since the users were somewhat
senior level folks, it was not realistic to have to jot down detailed notes about when it
happened etc.
Since the PCs were all Wintel based, I wrote this in a hurry to include in their "START"
menu. Not being able to use Unix tools pretty much tied my hands, and I didn't put in a lot
of error checking, but hey, I only had about 30 minutes to whip this up.
Although it's a bit simple hope you find it somewhat useful.
------ BEGIN BATCH FILE ----
TITLE TESTING THE NETWORK
@echo off
cls
echo.
echo.
echo.
echo.
echo.
echo **********************************************************
echo **********************************************************
echo **********************************************************
echo * *
echo * *
echo * Running network test........ *
echo * This windows will close automatically when *
echo * the testing has been completed. *
echo * *
echo * Please call XYZ at XYZ if you have any questions *
echo * *
echo * *
echo **********************************************************
echo **********************************************************
echo **********************************************************
:
: Create a temp folder for our use and start with some flower
: box delimeters
:
if not exist c:\mailte$t md c:\mailte$t
echo ***************************************>> c:\mailte$t\%username%.txt
echo ***************************************>> c:\mailte$t\%username%.txt
:
: Pipe in some blank lines and date time stamp.
echo. >> c:\mailte$t\%username%.txt
echo.|date | find /i "current" >> c:\mailte$t\%username%.txt
echo.|time | find /i "current" >> c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: Start a trace route w/o Rev-DNS lookups to our servers.
: The server name is given as a command line argument.
echo TRACE ROUTING TO %1 >>c:\mailte$t\%username%.txt
tracert -d %1.blah.foobar.com >>c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: ping with max sized ICMP packets
echo PINGING to %1 >>c:\mailte$t\%username%.txt
:
:!!!unwrap the next two lines!!!
ping -L 1472 %1.blah.foobar.com | find /i "Reply from"
>>c:\mailte$t\%username%.txt
:
echo. >> c:\mailte$t\%username%.txt
echo. >> c:\mailte$t\%username%.txt
:
: Now ftp it to the 2.104 server using the script file
: C:\ftpcmd.txt
:
ftp -s:c:\ftpcmd.txt x.x.2.104
exit
Contents of ftpcmd.txt file:
cisco
cisco1
put c:\mailte$t\*.txt
bye
exit
Basically, it's
username
password
ftp command
ftp command
etc. etc.
*************************************************************************
*
From: Question 76
Subject: Where can I find a list of undocumented IOS commands?
*************************************************************************
*
From: Question 77
Subject: Where can I find information on securing or hardening Cisco routers?
Cisco Router Hardening Step-by-Step
Improving Security on Cisco Routers:
Cisco PSIRT Advisories
Cisco's Security Technical Tips
Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks
Characterizing and Tracing Packet Floods Using Cisco Routers
Denial of Service (DoS) Attack Resources
*************************************************************************
*
From: Question 78
Subject: How can I connect two Cisco routers back to back through the AUX ports?
Connecting Routers Back-to-Back Through the AUX Ports
Configuring AUX-to-AUX Port Async Backup with Dialer Watch
Using the AUX Port on Cisco Routers for IP/IPX Router Communications
*************************************************************************
*From: Question 79
Subject: How do I use Secure Shell (SSH) on Cisco devices?
Configuring Secure Shell (SSH) on Cisco IOS® Routers
How to Configure SSH on Catalyst Switches Running CatOS
*************************************************************************
*
From: Question 80
Subject: Can I use a /31 address space for my serial point-to-point interfaces?
It depends. If you have 12.2.x release of IOS, you can use /31 address.
For example:
interface Serial5/1
ip address 192.168.1.1 255.255.255.254
See the following for more information:
/122t2/ft31addr.htm
*************************************************************************
*
From: Question 81
Subject: How do i see log messages on the router console?
Log messages are broken into 7 levels, and they can go to 3 places:
- Console (console logging)
- Monitor (any line configured with "monitor" or with the "terninal monitor"
exec command)
- trap (syslog)
The command to turn up log messages is "logging (place) (level)"
In your case, you probably want logging console informational for minumum messages or
logging console debug
for debugging messages.
Tip: console logging is disabled by default because the console serial port makes 1 interrupt
per character, and has the highest prioriy of any interrupt on the box. If you want to do
console logging, you should probably also rate limit the messages, since an uncontrolled
flood of messages to the console can literally cause the box to slow to a crawl and fail. In
most cases, it is a better idea to telnet to the box, and debug using 'monitor' logging and
"terminal monitor" on the vty.
*************************************************************************
*
From: Question 82
Subject: What is my overhead of using IPSec
IPSec Overhead [ from another net posting ]
esp-des = 24 bytes
esp-3des = 24 bytes
ah-sha-hmac = 24 bytes
ah-md5-hmac = 24 bytes
esp-md5-hmac = 12 bytes
esp-sha-hmac = 12 bytes
standard header = 20 bytes
esp-des/esp-md5-hmac = 56 bytes
esp-3des/esp-sha-hmac = 56 bytes
esp-des/ah-sha-hmac = 68 bytes
esp-des/ah-md5-hmac = 68 bytes
esp-des/ah-sha-hmac/esp-sha-hmac = 80 bytes
other gre = 24 bytes
For example I use ESP over AH with a GRE tunnel in tunnel mode.
20 (IP header) + 24 (AH header) + 16 (ESP header) + 4 (GRE) +2 (ESP trailer)
My MTU is 1500 - 66 = 1434
*************************************************************************
*
From: Question 83
Subject: What is the pinout for the DB9 to RJ45 connector?
ok, I just tested the pinouts of a DB9-RJ45 adapter that I have her...this
is what I found:
DB9 RJ45
1 - nothing
2 - 6
3 - 3
4 - 2
5 - 4&5 together
6 - 7
7 - 1
8 - 8
9 - nothing
*************************************************************************
*
From: Question 84
Subject: Should I use a T1, Cable modem or DSL for Internet connections?
This question comes up often enough it probably should be in the FAQ. Each has its
advantages and each has its weaknesses. Which is best will depend upon the specific
business requirements and how the network is used.
T1/E1 - Providers tend to treat T1's as serious business products. They tend to be better
managed and service response to outages is usually quick. Data rate is a constant, if you
order 1.544Mbps, you get 1.544 Mbps in both directions. (Note: fractional T1 may be
available with asymmetric capacity provisioned).
DSL - Providers consider this a "consumer grade" offering. Users experience has been more
frequent outages. More important, response to failures that do occur tends to be slow,
particularly if the local telco providing the copper is competing with the DSL provider.
ADSL provides asymmetric data rates, but "business grade" offerings, such as IDSL and
SDSL provide the same data rates both upstream and downstream. High data rates are only
available to users close to the telephone central office.
Cable - Shared medium subject to fluctuating bandwidth availability. Reliability will
depend upon the local cable company, and can vary widely. On average, tends to be about
as available as DSL. Only available in areas wired for cable TV, which could limit
availability in business parks and other non-residencial areas. Also only available where the
cable franchise has chosen to offer the service.
Other Considerations (feel free to add ones I've missed)
Provisioning of redundant connectivity for servers offered to the public versus internal users
browsing the Internet versus VPNs for cost savings all have very different requirements and
solutions suitable for one may not work with the others.
BGP support for multihoming is typically only available on T1 links. But then again, if
you're only surfing or VPNing there are easier ways to get redundancy that do not require
BGP.
In most markets, you can buy a lot of ISDN backup for the price difference between
DSL/Cable and T1. Many DSL/Cable providers will block VPN and inbound traffic to your
servers unless you purchase their premium "business" service. Make sure the conditions of
service are compatible with your needs.
DSL is rarely good backup for T1 because both share the same single points of failure in the
telco local loop provisioning. Cable can provide more diversity as a backup, but may still be
sharing common single points of failure such as power poles.
*************************************************************************
*
From: Question 85
Subject: How do I change the time length of 15 mins that is used when displaying the Show
ISDN history command?
You can try the command isdn-mib retain-timer
*************************************************************************
*
From: Question 86
Subject: Why do I see "double" characters when I telnet into my router?
>I have a 2500 router, and it's display double commands as shown below.
>cclloocckk rraattee 6644000000
>what can I do to fix it. Thanks.
Looks to me like you have local echoing configured on your terminal emulator. Turn it off
and let the router do all the echoing.
*************************************************************************
*
From: Question 87
Subject: How do I see power-supply failures via SNMP?
you need two commands
set snmp trap enable chassis
set snmp trap (ip address of snmp host) (public community string)
the first one tells the switch to send traps on chassis events, like a power
supply failing. the second tells the switch where to send the trap
*************************************************************************
*
From: Question 88
Subject: How do I change the timer for tx/rxload when doing "show int" command?
Interface command: load-interval IN_SECONDS
*************************************************************************
*
From: Question 89
Subject: How do I setup FR End-to-End keepalives?
I believe so. Just so we're clear (to the original poster) bandwidth on
demand is the ability to kick up a line when you reach a certain threshold.
floating static can't be used since the lower admin-distance route will
never get a chance to float up.
FR e-t-e can be setup as follows:
int s0/0
blah
frame-relay class end-to-end-keepalive
blah
!
map-class frame-relay end-to-end-keepalive
frame-relay end-to-end keepalive mode bidirectional
*************************************************************************
*
From: Question 90
Subject: How do I setup NAT and Port forwarding?
int e0/0
desc This is the inside address using RFC address
ip addr 10.1.1.1 255.255.255.0
ip nat inside
!
int s0/0
desc This goes to the ISP using assigned address x.x.x.1/30
ip address x.x.x.1 255.255.255.252
ip nat outside
!
! Next line determines who will get to use the NAT
! Anyone coming from 10.1.1.0 address will be NATed.
access-list 1 permit 10.1.1.0 0.0.0.255
!
! Next line assumes that you want to use one IP for everyone
! and use the port address translation. In your case, you could
! actually use one to one translation.
!
ip nat inside source list 1 interface serial0/0 overload
!
!Set up a static translation so you can telnet into your server
!Assume your server is at 10.1.1.5
!
ip nat inside source static tcp 10.1.1.5 23 x.x.x.1 23
!
!or forward http traffic to your 10.1.1.4 server
!
ip nat inside source static tcp 10.1.1.4 80 x.x.x.1 80
*************************************************************************
*From: Question 91
Subject: How can I policy-route router generated packets?
You need a 'ip local policy route-map ROUTE_MAP_NAME if you want
traffic sourced from the router to go through policy (ie: pings).
*************************************************************************
*
From: Question 92
Subject: Is there another way to upload my IOS w/o a tftp server?
Here's what I do when I need to upgrade a router's IOS and I don't have LAN
or sync serial access to it for TFTP purposes.
1. Plug the following code into the router to configure it for PPP on the AUX port:
interface Async1
ip address 192.168.255.254 255.255.255.252
encapsulation ppp
no ip route-cache
async default routing
async mode dedicated
!
ip default-gateway 192.168.255.253
!line con 0
line aux 0
no exec
exec-timeout 0 0
modem InOut
transport input all
stopbits 1
rxspeed 38400
txspeed 38400
flowcontrol hardware
2. Configure a "dialup networking" entry on my Windows PC using the ULL-MODEM
driver available from the following Cisco URL:
Configure the dialup networking entry to use 192.168.255.253 as the IP ddress of the
dialing interface.
3. Start up the TFTP server on my Windows PC.
4. Connect to the router from my Windows PC using the dialup networking entry
5. Open up the router console and use regular TFTP commands to pull the mage across.
Depending on what family of router you have (2500, 2600) your AUX port will
accommodate up to 38400 (older families) or 115200 (newer families).
*************************************************************************
*
From: Question 93
Subject: What does the keyword EXTENDABLE mean when doing NAT?
From:
"Extendable" static translations:
The extendable keyword allows the user to configure several ambiguous static translations,
where an ambiguous translations are translations with the same local or global address.
ip nat inside source static extendable
Some customers want to use more than one service provider and translate into each
provider's address space. You can use route-maps to base the selection of global address
pool on output interface as well as an access-list match. Following is an example:
ip nat pool provider1-space ...
ip nat pool provider2-space ...
ip nat inside source route-map provider1-map pool provider1-space
ip nat inside source route-map provider2-map pool provider2-space
!
route-map provider1-map permit 10
match ip address 1
match interface Serial0/0
!route-map provider2-map permit 10
match ip address 1
match interface Serial0/1
.
.
.
Once that is working, they might also want to define static mappings for a particular host
using each provider's address space. The software does not allow two static translations with
the same local address, though, because it is ambiguous from the inside. The router will
accept these static translations and resolve the ambiguity by creating full translations (all
addresses and ports) if the static translations are marked as "extendable". For a new
outside-to-inside flow, the appropriate static entry will act as a template for a full
translation. For a new inside-to-outside flow, the dynamic route-map rules will be used to
create a full translation.
*************************************************************************
*
From: Question 94
Subject: Where can I get some third party icons for my Visio program?
Check out www.altimatech.com they sell a product called netzoom that has a great cisco
library that they keep up to date, they even take requests!
*************************************************************************
*
From: Question 95
Subject: Can you help me interpret the output fomr "Looking Glass" (BGP?)
>I am learning BGP.
>I notice a lot of our engineers where I work use looking glass at
>www.traceroute.org to get answers to a lot of their questions.
>Unfortunately it's hard to get them to give me a seminar.
>Looking glass isn't covered in my cisco press books.
>I am having a hard time grasping when I would need to use looking
>glass.
>and particularly how to use it.
>
>I put in an ameritrade address and it gives me the following.
>
>Query: bgp
>Addr: 64.236.2.194
>BGP routing table entry for 64.236.0.0/16, version 89281795
>Paths: (2 available, best #2)
> Not advertised to any peer
> 1668
> 66.185.128.93 (metric 445601) from 165.117.1.194 (165.117.1.194)
> Origin IGP, metric 4294967294, localpref 105, valid, internal
> Community: 2548:177 2548:209 2548:666 3706:115
> 1668
> 66.185.128.51 (metric 410701) from 165.117.1.166 (165.117.1.166)
> Origin IGP, metric 4294967294, localpref 105, valid, internal,
>best
> Community: 2548:177 2548:317 2548:666 3706:164
>
>
>What peer problems would arise where I may need this information?
>especially considering I would need to have a peer address to put in
>in the first place.
This is usually used to confirm that a route is being advertised by the proper ISP. You don't
put peer addresses in, you put destination network addresses in.
>I see there are communities. not sure who the community members are or
>what the parameters contained in the community attribs are. Any way to
>find out?
Most communities don't have standard meanings. Each AS assigns meanings to the
communities that it cares about. By convention, communities are formed by concatenating
the ASN that's using the community with a second number that the AS network
administrators assign, so the communities shown above are meaningful to AS 2548 and AS
3706. Communities are often used by ISPs to allow their customers to influence routing
parameters; for instance, the
customer can often send communities that control what localpref the ISP assigns to the
routes.
>Any good hints/web-links on how to use or get the most out of the
>looking glass site would be appreciated.
There's nothing really special about the looking glass, it's just showing you the output of
"show ip bgp" (and other router commands). It's no different from doing it on your own
routers, but the looking glass lets you do it from outside your network, so you can tell
whether a problem is
specific to your network or more widespread.
>Thank you for that enlightening input.
>This time I queried.
>Query: bgp
>Addr: 216.202.0.0
>It is a Genuity address.
>
>Here is the output below.
>Could someone explain
>" Advertised to non peer-group peers:
> 198.32.187.122 " this belongs to : Exchange Point Blocks (NET-EP-)
That's a BGP neighbor of the looking glass router, which the router will share this route
with.
>Also Genuity actually owns AS number "1" (Very prestigious).
>from the first entry
>"4.24.7.77 (metric 345601) from 165.117.1.127"
> it looks like Genuity 4.24.x.x is learning this from Digex
>165.117.1.127
>Why would Genuity learn their own address from Digex.
No, it means that *this* router (Digex's router at MAE-EAST) learned the route from
165.117.1.127. Since Digex doesn't connect to Genuity at MAE-EAST (tier 1 ISPs use
private peering amongst each other, we only use the public exchanges to connect with
smaller ISPs), it has to learn Genuity routes via the Digex backbone.
>Also could I assume that just because there is no path with AOL in it
>that AOL doesn't have a path to them?
No. The looking glass is just showing the routes from Digex to the destination. Why would
traffic from Digex to Genuity go through AOL?
*************************************************************************
*
From: Question 96
Subject: When using Tunnel with an interface that has an ACL, what happens?
>I'm doing an IP tunnel between 2 routers with the command
>interface tunnel which has the ethernet0 source.
>Is the access-list applied on the ethernet0 inbound although filter the
>tunnel traffic ?
Yes. When traffic arrives, it will first be processed by the ethernet interface's inbound
access list. If it is permitted in, the router will then de-encapsulate the tunnel traffic, and it
will be processed by the tunnel interface's inbound access list.
*************************************************************************
*
From: Question 97
Subject: Do I need a Xover cable when using 1000Base-T?
Answer by: rich@richseifert.com (Rich Seifert)
> It guess it depends on the 1000baseT NICs. On mine, I've used both a
> crossover cable and a stright thru cable just fine to connect two NICs.
> They autonegotiate
Correct. First of all, 1000BASE-T *requires* Auto-Negotiation; it isn't designed to work
without it. Second, most 1000BASE-T equipment implements a function that detects
whether the cable is straight-through or crossover, and automatically configures itself to
work either way. (During the startup training, it can tell how the pairs are connected, and
connect each pair to the appropriate decoder module.)
*************************************************************************
*
From: Question 98
Subject: How dow I break the "Rule of Ten" for BGP Load balancing?
Answer by: "Cajun"
That's not true. BGP WILL join two lines AND load balance across them. The trick is, you
have to make every single one of the "Rule of Ten" rules equal; which is not a difficult
thing to do. Weights, MED's, Local Prefence, AS-Path, etc, will all most likely be identical,
provided both T1's come from the same provider (yes, I know he said they're different
providers.) You can load-balance with BGP across two links, provided the links terminate
on the same router on both end. With everything else being equal, BGP will snag on the last
rule, using the IP address of the interfaces to decide which path to take. All you have to do
is break that last rule and you're home free.
Here's how you do it:
1) Place static routes on each router pointing across each link to get to the other's loopback
address.
2) Set up your neighbor statements with each other's loopback address.
3) Put in a neighbor statement with an update-source of your loopback address.
4) Enter another neighbor statement with ebgp-multihop.
BAM! You're done. You've just now broken the "Rule of Ten." BGP will have no choice
but to enter two routes into the routing table, which will load balance.
*************************************************************************
*
From: Question 99
Subject: How do I only accept a 0/0 Route but advertise my 30 addresses via BGP?
router bgp #####
no sync
! advertise your address block
network 1.2.3.a mask 255.255.255.224
neighbor x.x.x.x remote-as x
neighbor x.x.x.x filter-list 1 out
neighbor x.x.x.x distribute-list 1 in
neighbor y.y.y.y remote-as y
neighbor y.y.y.y filter-list 1 out
neighbor y.y.y.y distribute-list 1 in
! IBGP between the two routers
neighbor 1.2.3.b remote-as #####
! Only advertise locally-originated routes, not transit routes
ip as-path access-list 1 permit ^$
! Only accept a default route
access-list 1 permit 0.0.0.0
*************************************************************************
*
From: Question 100
Subject: Should I turn off console loggin??
Crashinfo reads from the log buffer, not the console itself. If you want to have console
messages included in crashinfo, you may turn on logging console BUT you also want to be
sure logging buffered is on. Once logging buffered is on, console messages do not go to the
physical console port and the interrupt problem is circumvented.
> My question is if it is good default practice to turn off console
> logging or not?
You should turn it off unless you are using logging buffered. It is off by default in modern
IOS versions.
>And on router (e.g. 7200 and 2600) that have console
> logging disable, would it reduce the useful info on crashinfo file when
> the router crashed?
Yes. But again, it will only save information from 'logging buffered.' So if you want the information,
you can turn on logging console, but only if you also use logging buffered....
Các file đính kèm theo tài liệu này:
- 100 câu hỏi kỹ thuật về mạng cisco thuờng gặp.pdf